CVE-2026-44783 Overview
CVE-2026-44783 is an access control vulnerability in Discourse, an open-source discussion platform. The flaw resides in how the application handles replies to whisper posts. Authenticated users who are not members of the groups defined in whispers_allowed_groups can post content into a topic's staff-only whisper channel. The injected replies appear alongside legitimate whispers and are visible to staff members who normally read those channels. Only Discourse instances with the whispers feature enabled are affected. The issue is tracked under CWE-284: Improper Access Control.
Critical Impact
Authenticated non-staff users can inject content into staff-only whisper channels, undermining the confidentiality boundary between regular participants and moderation staff.
Affected Products
- Discourse versions 2026.1.0-latest through versions before 2026.1.4
- Discourse versions 2026.3.0-latest through versions before 2026.3.1
- Discourse versions 2026.4.0-latest through versions before 2026.4.1
Discovery Timeline
- 2026-06-12 - CVE-2026-44783 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-44783
Vulnerability Analysis
Discourse implements a whisper feature that allows staff members to post private comments visible only to other members of the groups listed in the whispers_allowed_groups site setting. These whispers are intended as a side channel for moderation discussion within a public topic. The vulnerability arises in the reply path: while the original whisper creation enforces group membership, the reply handling does not consistently verify that the replying user belongs to an authorized whisper group. An authenticated user who replies to an existing whisper post can have that reply attached to the whisper channel rather than the public topic stream. The reply is then surfaced to staff readers as if it were a legitimate whisper.
Root Cause
The root cause is missing authorization on the whisper reply code path. Permission to participate in whisper threads is checked when creating a new whisper but not re-evaluated when a reply inherits the whisper post type from its parent. This is a classic broken access control pattern in which a derived action trusts the state of the parent object instead of independently authorizing the actor.
Attack Vector
Exploitation requires an authenticated account on a Discourse site with whispers enabled and access to a topic that contains at least one whisper post. The attacker submits a reply targeting the whisper post through the standard reply API. The platform persists the reply with the whisper post type, exposing the content to staff. No user interaction from staff is needed beyond their routine review of the whisper channel, which makes the injected content suitable for social engineering or impersonation of moderator conversation.
No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-98ch-mgfj-wqpw for vendor technical details.
Detection Methods for CVE-2026-44783
Indicators of Compromise
- Whisper posts authored by user accounts that are not members of any group listed in the whispers_allowed_groups site setting.
- Reply records in the posts table where post_type equals the whisper value but the author lacks staff or whisper-group membership.
- Unexpected notification activity to staff users referencing replies from non-staff accounts.
Detection Strategies
- Query the Discourse database for posts with the whisper post type and join against group memberships to identify replies from unauthorized authors.
- Review moderation logs and the staff action log for whisper threads containing unfamiliar participants between the vulnerable release window and patch application.
- Correlate web access logs for POST /posts requests where the request payload references a parent post belonging to a whisper thread.
Monitoring Recommendations
- Enable verbose logging on the Discourse application server and forward logs to a centralized analytics platform for retention and search.
- Alert on changes to the whispers_allowed_groups setting and on bulk reply activity targeting whisper topics.
- Track outbound staff notifications generated from whisper threads to identify anomalous senders.
How to Mitigate CVE-2026-44783
Immediate Actions Required
- Upgrade Discourse to a fixed release: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1.
- Audit existing whisper threads for replies authored by accounts outside whispers_allowed_groups and remove or quarantine any unauthorized content.
- Rotate moderator workflows that may have acted on information injected through a tainted whisper thread.
Patch Information
Discourse has released patched builds in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Site operators on the official Docker image should pull the latest container for their release branch and rebuild. Refer to the GitHub Security Advisory GHSA-98ch-mgfj-wqpw for upgrade guidance.
Workarounds
- Temporarily disable the whisper feature by clearing the whispers_allowed_groups site setting until the patch is applied.
- Restrict topic reply permissions on sensitive categories to trusted user trust levels while upgrade planning is underway.
- Increase moderator review frequency on whisper threads to identify and remove unauthorized replies promptly.
# Configuration example: disable whispers until patched
# In the Discourse admin UI: Admin > Settings > Posting
# Clear the value of: whispers_allowed_groups
#
# Or via the Rails console on the application container:
SiteSetting.whispers_allowed_groups = ""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
