PatchSiren cyber security CVE debrief
CVE-2026-44783 discourse CVE debrief
CVE-2026-44783 is a medium-severity vulnerability in the Discourse discussion platform. A flaw in handling replies to whisper posts allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
- Vendor
- discourse
- Product
- Unknown
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Sites using Discourse with whispers enabled should apply patches to prevent unauthorized posting to staff-only whisper channels.
Technical summary
The vulnerability, with a CVSS score of 5.4, allows authenticated users to inject content into staff-only whisper channels due to improper handling of replies to whisper posts. This affects Discourse versions from 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1.
Defensive priority
Medium
Recommended defensive actions
- Apply patches in versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 to fix the vulnerability.
- Review and restrict whispers_allowed_groups configurations to minimize exposure.
Evidence notes
CVE-2026-44783 was published on 2026-06-12T21:16:21.917Z and has a CVSS score of 5.4, indicating medium severity.
Official resources
-
CVE-2026-44783 CVE record
CVE.org
-
CVE-2026-44783 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-44783 was published on 2026-06-12T21:16:21.917Z.