Information disclosure in Discourse - CVE-2026-44780
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in ReviewableQueuedPostSerializer when rendering queued posts received via incoming email. A remote user can access the review queue to read the full raw incoming email content and disclose sensitive information.
The exposed content may include headers, sender trace, mail user agent information, and message body, and affects users who are not in the groups allowed to view raw email.