BIT-discourse-2026-26077

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-26077.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-discourse-2026-26077

Aliases

CVE-2026-26077

Published

2026-03-03T13:29:03.296Z

Modified

2026-03-03T14:41:18.512203Z

Summary

Discourse doesn't ensure webhooks require a token

Details

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the WebhooksController accepted requests without a valid authentication token when no token was configured. This allowed unauthenticated attackers to forge webhook payloads and artificially inflate user bounce scores, potentially causing legitimate user emails to be disabled. The Mailpace endpoint had no token validation at all. Starting in versions 2025.12.2, 2026.1.1, and 2026.2.0, all webhook endpoints reject requests with a 406 response when no authentication token is configured. As a workaround, ensure that webhook authentication tokens are configured for all email provider integrations in site settings (e.g., sendgrid_verification_key, mailjet_webhook_token, postmark_webhook_token, sparkpost_webhook_token). There's no current workaround for mailpace before getting this fix.

Database specific

{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2025.12.2

Introduced

2026.1.0

Fixed

2026.1.1

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-26077.json"