Server-Side Request Forgery (SSRF) in Discourse - CVE-2026-33185
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to probe internal network infrastructure.
The vulnerability exists due to server-side request forgery (SSRF) in the group email settings test endpoint when handling test requests. A remote user can submit a crafted request to make the server initiate outbound connections to arbitrary hosts and ports to probe internal network infrastructure.
The endpoint was accessible to non-staff group owners.