Webhook Validation Flaw in Discourse Discussion Platform
CVE-2026-53961
6.5MEDIUM
What is CVE-2026-53961?
In the Discourse discussion platform, prior versions failed to correctly validate Authenticated AWS SNS messages sent to the AWS SES bounce webhook. This oversight allowed any AWS account to send appropriately signed but maliciously composed Bounce notifications, which could lead to the revocation of targeted user emails. The vulnerability has been addressed in subsequent releases, ensuring proper binding of messages to trusted TopicArn values for enhanced security and integrity.
Affected Version(s)
discourse >= 2026.5.0-latest, < 2026.5.1 < 2026.5.0-latest, 2026.5.1
discourse >= 2026.4.0-latest, < 2026.4.2 < 2026.4.0-latest, 2026.4.2
discourse >= 2026.1.0-latest, < 2026.1.5 < 2026.1.0-latest, 2026.1.5