CVE-2026-44784 Overview
CVE-2026-44784 is an information disclosure vulnerability in Discourse, an open-source discussion platform. Group owners who are not administrators or moderators can view a group's outgoing email and Simple Mail Transfer Protocol (SMTP) credentials in plaintext. The exposure occurs through the group history log endpoint at /groups/:name/logs.json. Exposed fields include email_password, email_username, smtp_server, smtp_port, and smtp_ssl_mode. The flaw maps to [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. It affects deployments that configure per-group SMTP credentials and delegate group ownership to non-privileged users.
Critical Impact
A group owner can retrieve the group's SMTP password in plaintext and send mail impersonating the group from outside Discourse.
Affected Products
- Discourse versions 2026.1.0-latest through versions before 2026.1.4
- Discourse versions 2026.3.0-latest through versions before 2026.3.1
- Discourse versions 2026.4.0-latest through versions before 2026.4.1
Discovery Timeline
- 2026-06-12 - CVE-2026-44784 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-44784
Vulnerability Analysis
Discourse allows administrators to configure SMTP credentials on a per-group basis so that emails sent from a group use a dedicated mailbox. These credentials are stored on the group record and include the SMTP server, port, transport security mode, username, and password. The platform also maintains a group history log accessible at /groups/:name/logs.json that records changes to group configuration.
The log endpoint returns previous and new values for fields modified on the group, including SMTP fields, without redacting secrets. Access to this endpoint is granted to group owners in addition to administrators and moderators. As a result, a non-privileged group owner can query the log and read the email_password value in plaintext along with the full SMTP configuration.
With the SMTP password in hand, the owner can authenticate directly to the configured mail server outside the Discourse application. This enables the attacker to send mail as the group, bypassing Discourse audit logs and rate limits.
Root Cause
The root cause is missing redaction and insufficient authorization on sensitive fields returned by the group history log. The endpoint exposes the same set of attributes to group owners that it would to higher-privileged roles, and SMTP secrets are serialized as cleartext rather than filtered before response generation.
Attack Vector
Exploitation requires an authenticated account that holds owner privileges on a group with per-group SMTP credentials configured. The attacker issues a GET request to /groups/:name/logs.json for the target group and parses the JSON response. No user interaction is required from administrators, and the request leaves only normal log-view traces on the Discourse host.
No public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-94c5-j24g-r99f for vendor technical details.
Detection Methods for CVE-2026-44784
Indicators of Compromise
- Requests to /groups/:name/logs.json originating from accounts that hold only group owner privileges, particularly bursts or scripted access patterns.
- Outbound SMTP authentication attempts to the configured per-group mail server from source addresses outside the Discourse application host.
- Outgoing mail sent through the group's SMTP account that does not correspond to messages stored in the Discourse database.
Detection Strategies
- Audit Discourse production logs for accesses to the group logs endpoint and correlate the requesting user's roles against expected administrator or moderator status.
- Review group history logs for SMTP credential change events and the user identifiers that subsequently queried those entries.
- Compare SMTP relay logs on the mail server against the Discourse outbound mail queue to identify messages that did not transit the application.
Monitoring Recommendations
- Alert on SMTP authentication events from unexpected client IP ranges using the per-group mailbox credentials.
- Track read access to /groups/:name/logs.json per user and flag non-staff accounts that query the endpoint.
- Forward Discourse application logs and SMTP server logs to a centralized analytics platform for cross-source correlation.
How to Mitigate CVE-2026-44784
Immediate Actions Required
- Upgrade Discourse to a patched release: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1.
- Rotate every per-group SMTP password that existed on an affected version, even if no abuse has been observed.
- Review group ownership assignments and remove ownership from users who do not require it on groups with SMTP credentials.
Patch Information
Discourse has released fixed versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. The fix restricts visibility of SMTP credential fields in the group history log to administrators. Patch notes and commit references are available in the Discourse Security Advisory GHSA-94c5-j24g-r99f.
Workarounds
- Temporarily revoke group owner status from non-staff users on any group that has per-group SMTP credentials configured until patching is complete.
- Clear per-group SMTP credentials and route outbound mail through the global Discourse SMTP configuration if granular sender addresses are not strictly required.
- Restrict access to the /groups/:name/logs.json endpoint at the reverse proxy layer for non-administrative accounts as a defense-in-depth measure.
# Upgrade Discourse to a patched release using the standard launcher
cd /var/discourse
git pull
./launcher rebuild app
# Verify the running version matches a patched release
./launcher logs app | grep -i "discourse version"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
