PatchSiren cyber security CVE debrief
CVE-2026-44780 discourse CVE debrief
CVE-2026-44780 is an information disclosure vulnerability affecting Discourse, an open-source discussion platform. The vulnerability exists in versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1. The issue arises from the ReviewableQueuedPostSerializer unconditionally including payload[raw_email] for posts that arrived via incoming email. This allows category moderation group members who reach the review queue to read the full inbound email source, including headers, sender trace, MUA, and body, without being in view_raw_email_allowed_groups. The trust boundary that gates the dedicated raw-email endpoint is bypassed in this case. The vulnerability has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
- Vendor
- discourse
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Discourse, particularly those who use incoming email to create posts and have category moderation groups, should be aware of this vulnerability. If the Discourse instance is in a version range that is vulnerable, administrators should apply the patches as soon as possible to prevent unauthorized access to email content.
Technical summary
The vulnerability is caused by the ReviewableQueuedPostSerializer including payload[raw_email] for posts created via incoming email, without properly checking if the user has the necessary permissions. This allows category moderators to access the full email content, including sensitive information that might be present in the email headers or body.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to a patched version of Discourse: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1.
- Review and adjust permissions for category moderation groups to ensure that they do not have access to sensitive information.
- Monitor for any suspicious activity related to email posts and review queues.
Evidence notes
The vulnerability was patched in several versions of Discourse. The CVE was published on 2026-06-12T21:16:21.643Z.
Official resources
-
CVE-2026-44780 CVE record
CVE.org
-
CVE-2026-44780 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-44780 was published on 2026-06-12T21:16:21.643Z.