PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44784 discourse CVE debrief

CVE-2026-44784 is a vulnerability in Discourse, an open-source discussion platform. The issue affects versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1. In these versions, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext via the group history log (/groups/:name/logs.json). The affected fields include email_password, email_username, smtp_server, smtp_port, and smtp_ssl_mode. The most sensitive item is the SMTP password, which an owner could use to send mail as the group from outside Discourse. This impacts sites that have configured per-group SMTP credentials and granted group ownership to users who should not have access to those credentials.

Vendor
discourse
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-12
Original CVE updated
2026-06-12
Advisory published
2026-06-12
Advisory updated
2026-06-12

Who should care

Sites that have configured per-group SMTP credentials and granted group ownership to users who should not have access to those credentials should prioritize patching. Specifically, any user with group ownership privileges who should not have access to SMTP credentials is at risk.

Technical summary

The vulnerability allows group owners to view sensitive SMTP credentials in plaintext. This is possible because the group history log (/groups/:name/logs.json) exposes email_password, email_username, smtp_server, smtp_port, and smtp_ssl_mode fields. The most critical field is email_password, as it could be used to send mail as the group from outside Discourse.

Defensive priority

MEDIUM

Recommended defensive actions

  • Apply patches in versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 to fix the vulnerability.
  • Review and restrict group ownership to trusted users.
  • Consider rotating SMTP credentials for groups that may have been exposed.

Evidence notes

CVE-2026-44784 has a CVSS score of 6.5 and is classified as MEDIUM severity. The vulnerability was published and modified on June 12, 2026.

Official resources

CVE-2026-44784 was published and modified on 2026-06-12T21:16:22.047Z.