Resource exhaustion in Discourse - CVE-2024-27100
Published: March 15, 2024 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the user suspension, user silencing, and CSV export endpoints when handling oversized parameters. A remote user can send crafted requests with large parameter values to cause a denial of service.
In multisite deployments, exploitation may be performed by a staff member on another site in the same cluster.