PatchSiren cyber security CVE debrief
CVE-2026-45775 discourse CVE debrief
CVE-2026-45775 is a MEDIUM severity vulnerability in Discourse, an open-source discussion platform. A path traversal issue in backup handling could allow an authenticated administrator on one site in a multisite deployment to access backup files belonging to another site when backups are stored locally. Specifically, an admin on Site A could potentially retrieve sensitive backup data from Site B (same host, multisite) by crafting a backup download request with a traversal payload. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
- Vendor
- discourse
- Product
- Unknown
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Administrators of Discourse installations, particularly those with multisite deployments and locally stored backups, should be aware of this vulnerability. Users with administrative privileges on affected sites are at risk of being able to access unauthorized backup data.
Technical summary
The vulnerability, rated with a CVSS score of 6.8 (MEDIUM severity), involves a path traversal weakness in the backup handling mechanism of Discourse. This weakness allows an authenticated administrator to bypass normal access controls and potentially retrieve backup files from other sites within the same host and multisite deployment. The issue arises from insufficient validation of backup download requests, enabling an attacker to craft requests that traverse the file system.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the patches provided in versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 to fix the vulnerability.
- Review and restrict administrative access to backup files and functionality.
- Consider moving backup storage to a more secure, centralized location that is not directly accessible by site administrators.
Evidence notes
The vulnerability was patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. For more information, refer to resourceLinkAnnotations with linkId 'ref-4' for the security advisory.
Official resources
-
CVE-2026-45775 CVE record
CVE.org
-
CVE-2026-45775 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45775 was published and modified on 2026-06-12T21:16:23.267Z.