Improper access control in Discourse - CVE-2022-31096

 

Improper access control in Discourse - CVE-2022-31096

Published: June 21, 2022 / Updated: July 1, 2026


Vulnerability identifier: #VU136058
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-31096
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to bypass invite email or email domain restrictions and gain unauthorized access to restricted content.

The vulnerability exists due to improper access control in the invite redemption mechanism when redeeming an invite. A remote user can redeem an invite with an email address that does not match the invite restrictions to bypass invite email or email domain restrictions and gain unauthorized access to restricted content.

If the invite is configured to add the accepting user to restricted groups, successful exploitation may result in unauthorized membership in those groups.


How to mitigate CVE-2022-31096

Install security update from vendor's website.

Sources