Information disclosure in Discourse - CVE-2026-47263
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the MessageBus.publish call for /web_hook_events/ in Jobs::RedeliverWebHookEvents when processing webhook redeliveries. A remote attacker can subscribe to the channel and enumerate sequential webhook IDs to disclose sensitive information.
On instances where login_required is disabled, anonymous users can access the channel. The exposed payload may include request and response headers and bodies, private post content, user PII, and data returned by third-party endpoints.