Improper access control in Discourse - CVE-2022-21684
Published: January 13, 2022 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to bypass user approval and access the forum with the permissions of an approved user.
The vulnerability exists due to improper access control in the invite redemption flow when redeeming an email invitation on forums with user approval required. A remote user can redeem a valid invitation to bypass user approval and access the forum with the permissions of an approved user.
Only users invited via email are affected, and the access is limited to the initial automatic login session.