Missing Authentication for Critical Function in Discourse - CVE-2026-26077
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper access control in webhook endpoints in the WebhooksController when handling webhook requests without a configured authentication token. A remote attacker can send forged webhook payloads to cause a denial of service.
The issue affects the SendGrid, Mailjet, Mandrill, Postmark, SparkPost, and Mailpace webhook endpoints, and can artificially inflate user bounce scores so legitimate user emails may be disabled.