Improper access control in Discourse - CVE-2022-31096
Published: June 21, 2022 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to bypass invite email or email domain restrictions and gain unauthorized access to restricted content.
The vulnerability exists due to improper access control in the invite redemption mechanism when redeeming an invite. A remote user can redeem an invite with an email address that does not match the invite restrictions to bypass invite email or email domain restrictions and gain unauthorized access to restricted content.
If the invite is configured to add the accepting user to restricted groups, successful exploitation may result in unauthorized membership in those groups.