Improper access control in Discourse - CVE-2021-41263

 

Improper access control in Discourse - CVE-2021-41263

Published: November 15, 2021 / Updated: July 1, 2026


Vulnerability identifier: #VU136566
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-41263
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and compromise the integrity of session handling.

The vulnerability exists due to improper access control in encrypted session cookies when re-using cookies between sites served by the same application instance. A remote user can re-use an encrypted session cookie from one site on another site served by the same application instance to disclose sensitive information and compromise the integrity of session handling.

Only multisite Discourse instances are vulnerable.


How to mitigate CVE-2021-41263

Install security update from vendor's website.

Sources