Information disclosure in Discourse - CVE-2026-44780

 

Information disclosure in Discourse - CVE-2026-44780

Published: July 1, 2026


Vulnerability identifier: #VU136589
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-44780
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in ReviewableQueuedPostSerializer when rendering queued posts received via incoming email. A remote user can access the review queue to read the full raw incoming email content and disclose sensitive information.

The exposed content may include headers, sender trace, mail user agent information, and message body, and affects users who are not in the groups allowed to view raw email.


How to mitigate CVE-2026-44780

Install security update from vendor's website.

Sources