CVE-2026-44783
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
A vulnerability in the Discourse discussion platform allows authenticated users outside the configured groups to post into staff-only whisper channels. This issue affects versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1.
Risk Assessment
Organizations may be at risk of exposing sensitive information as unauthorized content can be visible to staff in whisper channels. Only sites with whispers enabled are affected by this vulnerability.
Recommendation
It is recommended to upgrade to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 to mitigate this vulnerability.
Original NVD description (English source)
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

