Improper access control in Discourse - CVE-2026-53961

 

Improper access control in Discourse - CVE-2026-53961

Published: July 1, 2026


Vulnerability identifier: #VU136598
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-53961
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote attacker to disable a targeted user's email delivery and cause a denial of service.

The vulnerability exists due to improper access control in the AWS SES bounce webhook endpoint when processing SNS bounce notifications. A remote attacker can publish validly signed but forged bounce notifications from an untrusted SNS topic to disable a targeted user's email delivery and cause a denial of service.

Exploitation requires that the email webhooks endpoint is exposed and that the site uses AWS SES with SNS for bounce handling. No forum account or victim interaction is required.


How to mitigate CVE-2026-53961

Install security update from vendor's website.

Sources