PatchSiren cyber security CVE debrief
CVE-2026-47263 discourse CVE debrief
CVE-2026-47263 is a medium-severity vulnerability in Discourse, an open-source discussion platform. The issue allows authenticated users to access webhook events due to a missing group ID in the MessageBus.publish call. This vulnerability affects Discourse versions from 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1. The vulnerability has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
- Vendor
- discourse
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Discourse, especially those with instances that have login_required disabled, should be aware of this vulnerability and take steps to update to a patched version.
Technical summary
The MessageBus.publish call for /web_hook_events/<id> in Jobs::RedeliverWebHookEvents did not pass group_ids, making the channel readable by any authenticated user. Webhook IDs are sequential integers and can be easily enumerated.
Defensive priority
Medium
Recommended defensive actions
- Update Discourse to version 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 or later.
- Review and restrict access to webhook events if possible.
Evidence notes
CVE-2026-47263 has a CVSS score of 4.3 and is classified as MEDIUM severity. The vulnerability was published on June 12, 2026, and has not been modified since then.
Official resources
-
CVE-2026-47263 CVE record
CVE.org
-
CVE-2026-47263 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-47263 was published on 2026-06-12T21:16:23.537Z.