Path traversal in Discourse - CVE-2026-45775
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive backup information.
The vulnerability exists due to path traversal in backup download handling when processing a crafted backup download request in a multisite deployment with local backup storage. A remote privileged user can send a specially crafted backup download request to disclose sensitive backup information.
Only multisite deployments using local backup storage are affected. Deployments using S3 backup storage are not affected.