Improper access control in Discourse - CVE-2026-44787
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and post whisper content.
The vulnerability exists due to improper access control in the signup flow when assigning primary_group_id during account registration. A remote attacker can register a new account with a primary_group_id that grants whisper-group privileges to disclose sensitive information and post whisper content.
Only sites that have configured the whispers_allowed_groups setting to include one or more groups are affected. The default configuration is not affected.