PT-2026-29317 · Discourse · Discourse
Davidtaylorhq
·
Published
2026-03-31
·
Updated
2026-04-07
·
CVE-2026-33185
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0 through 2026.2.9
Description
Discourse, an open-source discussion platform, had an issue where the group email settings test endpoint could be exploited to make the server initiate outbound connections to arbitrary hosts and ports. This could potentially allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners.
Recommendations
Update to Discourse version 2026.1.3 or later.
Update to Discourse version 2026.2.2 or later.
Update to Discourse version 2026.3.0 or later.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse