Plattform
discourse
Komponente
discourse
Behoben in
2025.12.3
2026.1.1
2026.2.1
CVE-2026-26077 affects Discourse, an open-source discussion platform. This vulnerability allows unauthenticated attackers to forge webhook payloads, potentially leading to inflated user bounce scores and the disabling of legitimate user emails. The issue impacts versions 2025.12.2 and earlier, 2026.1.1 and earlier, and 2026.2.0 and earlier. A fix is available in version 2026.2.0.
The core impact of CVE-2026-26077 lies in the ability of an attacker to manipulate Discourse's webhook system. Webhooks are used to send notifications to external services (like email providers) when certain events occur within Discourse. By forging these webhook payloads without authentication, an attacker can artificially inflate a user's bounce rate. This can trigger Discourse's anti-spam measures, leading to legitimate user emails being blocked or disabled. The Mailpace endpoint presented an even greater risk, lacking any token validation whatsoever, making exploitation trivial. This vulnerability could disrupt communication and negatively impact user experience.
CVE-2026-26077 was publicly disclosed on February 26, 2026. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively low complexity of exploitation (lack of authentication), it's prudent to apply the patch promptly.
Discourse installations utilizing external email services via webhooks are at risk. This includes organizations relying on Discourse for community forums, online learning platforms, or any application integrating with email marketing or notification services. Shared hosting environments running Discourse are particularly vulnerable, as misconfigurations on one instance could potentially impact others.
• linux / server:
journalctl -u discourse -g 'webhook' | grep -i 'error'• generic web:
curl -I https://your-discourse-instance.com/webhooks/sendgrid/endpoint | grep -i '401 unauthorized'• discourse: Check Discourse admin panel for webhook token configuration. Ensure tokens are enabled and not empty for all endpoints.
disclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-26077 is to upgrade Discourse to version 2026.2.0 or later, which includes the necessary authentication checks. If an immediate upgrade is not feasible, consider temporarily disabling the vulnerable webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) within the Discourse admin panel. Review your Discourse configuration to ensure that webhook tokens are properly configured and enforced. Monitor your Discourse logs for suspicious webhook activity, particularly unusual spikes in bounce rates or unauthorized requests to these endpoints. After upgrading, confirm the fix by attempting to manually trigger a webhook payload without proper authentication; it should be rejected.
Aktualisieren Sie Discourse auf Version 2025.12.2, 2026.1.1 oder 2026.2.0 oder höher. Alternativ konfigurieren Sie Authentifizierungstoken für alle E-Mail-Provider-Integrationen in den Site-Einstellungen (z. B. `sendgrid_verification_key`, `mailjet_webhook_token`, `postmark_webhook_token`, `sparkpost_webhook_token`). Es gibt keinen Workaround für Mailpace, bevor diese Korrektur angewendet wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-26077 is a vulnerability in Discourse allowing unauthenticated attackers to forge webhook payloads, potentially disabling user emails. It affects versions ≤ 2026.2.0 and < 2026.2.0.
You are affected if you are running Discourse versions 2025.12.2 and earlier, 2026.1.1 and earlier, or 2026.2.0 and earlier, and are using webhooks.
Upgrade Discourse to version 2026.2.0 or later. As a temporary workaround, disable vulnerable webhook endpoints in the admin panel.
There is currently no evidence of active exploitation in the wild or publicly available proof-of-concept exploits.
Refer to the official Discourse security advisory on their website: [https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual URL)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.