Improper access control in Discourse - CVE-2021-41263
Published: November 15, 2021 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and compromise the integrity of session handling.
The vulnerability exists due to improper access control in encrypted session cookies when re-using cookies between sites served by the same application instance. A remote user can re-use an encrypted session cookie from one site on another site served by the same application instance to disclose sensitive information and compromise the integrity of session handling.
Only multisite Discourse instances are vulnerable.