Improper access control in Discourse - CVE-2026-33393
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to bypass spam protection.
The vulnerability exists due to improper access control in the allowed_spam_host_domains check when validating host domains against the allowlist. A remote user can use a crafted domain name with an allowlisted suffix to bypass spam protection.
The issue stems from using suffix-based hostname matching without validating a domain boundary, which can affect enforcement of newuser_spam_host_threshold.