Path Traversal Vulnerability in Discourse Discussion Platform
CVE-2026-45775

6.8MEDIUM

Key Information:

Vendor

Discourse

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-45775?

The vulnerability affects the Discourse open-source discussion platform, allowing an authenticated administrator on one site in a multisite setup to exploit backup handling. Through a crafted backup download request, an admin on Site A can gain unauthorized access to backup files belonging to Site B, compromising sensitive data if backups are stored locally. This issue has been addressed in updated versions: 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4

discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1

discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1

References

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.