Missing Authentication for Critical Function in Discourse - CVE-2026-26077

 

Missing Authentication for Critical Function in Discourse - CVE-2026-26077

Published: July 1, 2026


Vulnerability identifier: #VU136496
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-26077
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper access control in webhook endpoints in the WebhooksController when handling webhook requests without a configured authentication token. A remote attacker can send forged webhook payloads to cause a denial of service.

The issue affects the SendGrid, Mailjet, Mandrill, Postmark, SparkPost, and Mailpace webhook endpoints, and can artificially inflate user bounce scores so legitimate user emails may be disabled.


How to mitigate CVE-2026-26077

Install security update from vendor's website.

Sources