Open redirect in Discourse - CVE-2026-32113

 

Open redirect in Discourse - CVE-2026-32113

Published: July 1, 2026


Vulnerability identifier: #VU136149
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32113
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote attacker to redirect users to an arbitrary external site.

The vulnerability exists due to improper input validation in the enter action of StaticController when processing the sso_destination_url cookie during authentication via the /login endpoint. A remote attacker can set a crafted cookie value to redirect users to an arbitrary external site.

Only sites with DiscourseConnect Provider enabled are vulnerable, and exploitation requires the ability to set cookies in the victim's browser.


How to mitigate CVE-2026-32113

Install security update from vendor's website.

Sources