Improper access control in Discourse - CVE-2022-31184
Published: July 27, 2022 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper access control in the update_activate_email route when handling email activation requests. A remote attacker can send repeated crafted requests to bypass the existing rate limit and cause a denial of service.
User interaction is required to trigger the spam signup emails.