Improper access control in Discourse - CVE-2026-53961
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to disable a targeted user's email delivery and cause a denial of service.
The vulnerability exists due to improper access control in the AWS SES bounce webhook endpoint when processing SNS bounce notifications. A remote attacker can publish validly signed but forged bounce notifications from an untrusted SNS topic to disable a targeted user's email delivery and cause a denial of service.
Exploitation requires that the email webhooks endpoint is exposed and that the site uses AWS SES with SNS for bounce handling. No forum account or victim interaction is required.