CVE Catalog

CVE-2026-44780

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile - higher than 7% of all known CVEs

Summary

Discourse is an open-source discussion platform with a vulnerability in versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1. The ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts arriving via email, allowing moderation group members to access the full email source without proper permissions.

Risk Assessment

Organizations may be exposed to the disclosure of sensitive information contained in emails, potentially leading to breaches of user privacy and trust in the platform.

Recommendation

It is recommended to update Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 to mitigate this vulnerability.

Original NVD description (English source)

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts that arrived via incoming email. Category moderation group members reaching the review queue could therefore read the full inbound email source (headers, sender trace, MUA, body) without being in view_raw_email_allowed_groups — the trust boundary that gates the dedicated raw-email endpoint. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS