CVE-2026-26077

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2025.12.2 Discourse versions prior to 2026.1.1 Discourse versions prior to 2026.2.0

Description Discourse is an open source discussion platform. Several webhook endpoints—SendGrid, Mailjet, Mandrill, Postmark, SparkPost, and Mailpace—in the WebhooksController did not require a valid authentication token when no token was configured. This allowed unauthenticated attackers to forge webhook payloads and increase user bounce scores, potentially disabling legitimate user emails. The Mailpace endpoint lacked token validation entirely.

Recommendations For Discourse versions prior to 2025.12.2, ensure that webhook authentication tokens are configured for all email provider integrations in site settings, such as sendgrid verification key, mailjet webhook token, postmark webhook token, and sparkpost webhook token. For Discourse versions prior to 2026.1.1, ensure that webhook authentication tokens are configured for all email provider integrations in site settings, such as sendgrid verification key, mailjet webhook token, postmark webhook token, and sparkpost webhook token. For Discourse versions prior to 2026.2.0, ensure that webhook authentication tokens are configured for all email provider integrations in site settings, such as sendgrid verification key, mailjet webhook token, postmark webhook token, and sparkpost webhook token.