Server-Side Request Forgery (SSRF) in Discourse - #VU136082
Published: March 17, 2023 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to server-side request forgery in the WebPush gem HTTP client when sending push notifications. A remote attacker can cause the application to send crafted requests to disclose sensitive information.
User interaction is required.