Information Disclosure in Discourse Open-Source Discussion Platform
CVE-2026-47263
What is CVE-2026-47263?
Discourse, an open-source discussion platform, is identified with a vulnerability in its handling of webhook events. Specifically, versions ranging from 2026.1.0 (latest) up to but not including 2026.1.4, as well as 2026.3.0 (latest) up to 2026.3.1, and 2026.4.0 (latest) up to 2026.4.1 have a flaw in the MessageBus.publish call for /web_hook_events/ in Jobs::RedeliverWebHookEvents. This allows the group_ids to not be passed, which inadvertently permits any authenticated or potentially anonymous user (when login requirements are disabled) to access the channel. Webhook IDs are sequential, making them easily enumerable. The vulnerability is addressed in the subsequent versions: 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Affected Version(s)
discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4
discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1
discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1