Discourse Vulnerability Exposes Email Credentials to Group Owners
CVE-2026-44784

6.5MEDIUM

Key Information:

Vendor

Discourse

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-44784?

A vulnerability in Discourse allows group owners, who may not have administrative or moderation privileges, to access SMTP credentials—including email passwords—through the group's history log. This risk is particularly significant for setups that have configured unique SMTP credentials for individual groups. As a result, unauthorized group owners can misuse access to send emails impersonating the group, which can lead to the compromise of sensitive information. The vulnerability has been resolved in subsequent versions, ensuring that OAuth and secure credential handling practices are upheld.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4

discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1

discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.