Improper access control in Discourse - CVE-2026-46413

 

Improper access control in Discourse - CVE-2026-46413

Published: July 1, 2026


Vulnerability identifier: #VU136592
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-46413
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to modify files in the admin backup store.

The vulnerability exists due to improper access control in direct S3 multipart uploads to the backup store when handling multipart upload requests. A remote user can upload files to the S3 backup store to modify files in the admin backup store.


How to mitigate CVE-2026-46413

Install security update from vendor's website.

Sources