Webhook Validation Flaw in Discourse Discussion Platform
CVE-2026-53961

6.5MEDIUM

Key Information:

Vendor

Discourse

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-53961?

In the Discourse discussion platform, prior versions failed to correctly validate Authenticated AWS SNS messages sent to the AWS SES bounce webhook. This oversight allowed any AWS account to send appropriately signed but maliciously composed Bounce notifications, which could lead to the revocation of targeted user emails. The vulnerability has been addressed in subsequent releases, ensuring proper binding of messages to trusted TopicArn values for enhanced security and integrity.

Affected Version(s)

discourse >= 2026.5.0-latest, < 2026.5.1 < 2026.5.0-latest, 2026.5.1

discourse >= 2026.4.0-latest, < 2026.4.2 < 2026.4.0-latest, 2026.4.2

discourse >= 2026.1.0-latest, < 2026.1.5 < 2026.1.0-latest, 2026.1.5

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.