Improper Authorization in Discourse - CVE-2022-39356
Published: November 1, 2022 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to gain improper access to existing accounts.
The vulnerability exists due to improper authorization in invite link handling when processing invitation-based account access. A remote user can use an invitation link that is not restricted to a single invitee email address to gain improper access to existing accounts.
This issue does not allow access to administrator accounts.