Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44780

CVE-2026-44780: Discourse Information Disclosure Flaw

CVE-2026-44780 is an information disclosure vulnerability in Discourse that exposes raw email data to unauthorized moderators. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-44780 Overview

Discourse, an open-source discussion platform, contains an information disclosure vulnerability in the ReviewableQueuedPostSerializer component. The serializer unconditionally included the payload["raw_email"] field for posts that arrived via incoming email. Category moderation group members reaching the review queue could read the full inbound email source, including headers, sender trace, Mail User Agent (MUA), and body. This access bypassed the view_raw_email_allowed_groups trust boundary that normally gates the dedicated raw-email endpoint. The flaw is tracked as [CWE-200] Information Exposure and affects multiple release branches of Discourse.

Critical Impact

Authenticated category moderators can read raw inbound email content, including headers and sender metadata, without belonging to the group authorized to view raw emails.

Affected Products

  • Discourse versions 2026.1.0-latest to before 2026.1.4
  • Discourse versions 2026.3.0-latest to before 2026.3.1
  • Discourse versions 2026.4.0-latest to before 2026.4.1

Discovery Timeline

  • 2026-06-12 - CVE-2026-44780 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-44780

Vulnerability Analysis

The vulnerability resides in the ReviewableQueuedPostSerializer class within Discourse. This serializer prepares queued post data for moderators reviewing pending content. When a post originated from an incoming email, the serializer included the complete payload["raw_email"] field in its output without checking authorization. Category moderation group members accessing the review queue received the full raw email source as part of normal serialization. The information exposed includes Simple Mail Transfer Protocol (SMTP) headers, sender trace data, Mail User Agent strings, and the complete message body. Discourse maintains a separate view_raw_email_allowed_groups setting that controls access to a dedicated raw-email endpoint. The serializer bypassed this control entirely, exposing data through a different code path.

Root Cause

The root cause is missing authorization enforcement in the serializer. ReviewableQueuedPostSerializer unconditionally serialized the raw_email payload field for email-sourced posts. The serializer did not consult the view_raw_email_allowed_groups configuration before including this sensitive content. This represents a broken trust boundary where one access path enforces authorization while a parallel path does not.

Attack Vector

An attacker requires authenticated access as a member of any category moderation group. The attacker navigates to the review queue and inspects queued posts that arrived through Discourse's incoming email pipeline. The serialized response contains the full raw_email payload, exposing sender headers, routing information, and message content that should remain restricted. No additional privilege escalation or user interaction is required beyond standard moderator workflow. Refer to the GitHub Security Advisory GHSA-h2jr-whpx-6w63 for technical details on the affected code path.

Detection Methods for CVE-2026-44780

Indicators of Compromise

  • Unusual access patterns to the review queue endpoint by moderation group members not authorized for raw email viewing.
  • API responses from review queue endpoints containing raw_email field data delivered to users outside view_raw_email_allowed_groups.
  • Elevated request rates against queued post review endpoints from accounts that do not typically engage with email-sourced content.

Detection Strategies

  • Review Discourse application logs for requests to review queue endpoints, correlating requesting user group membership against view_raw_email_allowed_groups configuration.
  • Audit category moderator accounts for activity inconsistent with their normal moderation scope, especially access to email-originated posts.
  • Compare serialized response sizes for queued post reviews — responses containing raw email payloads will be substantially larger than text-only posts.

Monitoring Recommendations

  • Enable verbose logging on review queue API endpoints and forward logs to a centralized analytics platform for correlation.
  • Track changes to category moderation group membership and flag newly added members who immediately access the review queue.
  • Monitor outbound data flows from the Discourse application for anomalous content exfiltration following review queue access.

How to Mitigate CVE-2026-44780

Immediate Actions Required

  • Upgrade Discourse to a patched release matching your branch: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1.
  • Audit current membership of all category moderation groups and remove accounts that do not require review queue access.
  • Review historical access logs for review queue endpoints to identify any unauthorized exposure of raw email content.

Patch Information

Discourse released fixes in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. The patch modifies ReviewableQueuedPostSerializer to enforce the view_raw_email_allowed_groups check before including payload["raw_email"] in serialized output. Patch details and the security advisory are published at GitHub Security Advisory GHSA-h2jr-whpx-6w63.

Workarounds

  • Restrict category moderation group membership to the minimum set of trusted users until patching is complete.
  • Temporarily disable incoming email processing to prevent new email-sourced posts from entering the review queue.
  • Rotate any credentials or sensitive tokens that may have appeared in email content exposed through the review queue.
bash
# Verify Discourse version and upgrade to a patched release
cd /var/discourse
./launcher rebuild app
# Confirm version after rebuild
docker exec -it app rails runner "puts Discourse::VERSION::STRING"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne