Improper access control in Discourse - CVE-2021-37693
Published: August 13, 2021 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to reset passwords.
The vulnerability exists due to improper access control in email token handling when reusing an unused token generated for an additional email address. A remote user can use a previously generated email token in another context to reset passwords.
Exploitation requires access to an existing account and a previously generated unused email verification token.