Improper access control in Discourse - CVE-2026-44784
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the group history log endpoint when handling requests to view group logs. A remote user can access /groups/:name/logs.json for a group they own to disclose sensitive information.
This affects sites that use per-group SMTP credentials and assign group ownership to users who should not have access to those credentials.