Plataforma
discourse
Componente
discourse
Corrigido em
2025.12.3
2026.1.1
2026.2.1
CVE-2026-26077 affects Discourse, an open-source discussion platform. This vulnerability allows unauthenticated attackers to forge webhook payloads, potentially leading to inflated user bounce scores and the disabling of legitimate user emails. The issue impacts versions 2025.12.2 and earlier, 2026.1.1 and earlier, and 2026.2.0 and earlier. A fix is available in version 2026.2.0.
The core impact of CVE-2026-26077 lies in the ability of an attacker to manipulate Discourse's webhook system. Webhooks are used to send notifications to external services (like email providers) when certain events occur within Discourse. By forging these webhook payloads without authentication, an attacker can artificially inflate a user's bounce rate. This can trigger Discourse's anti-spam measures, leading to legitimate user emails being blocked or disabled. The Mailpace endpoint presented an even greater risk, lacking any token validation whatsoever, making exploitation trivial. This vulnerability could disrupt communication and negatively impact user experience.
CVE-2026-26077 was publicly disclosed on February 26, 2026. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively low complexity of exploitation (lack of authentication), it's prudent to apply the patch promptly.
Discourse installations utilizing external email services via webhooks are at risk. This includes organizations relying on Discourse for community forums, online learning platforms, or any application integrating with email marketing or notification services. Shared hosting environments running Discourse are particularly vulnerable, as misconfigurations on one instance could potentially impact others.
• linux / server:
journalctl -u discourse -g 'webhook' | grep -i 'error'• generic web:
curl -I https://your-discourse-instance.com/webhooks/sendgrid/endpoint | grep -i '401 unauthorized'• discourse: Check Discourse admin panel for webhook token configuration. Ensure tokens are enabled and not empty for all endpoints.
disclosure
Status do Exploit
EPSS
0.07% (percentil 21%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-26077 is to upgrade Discourse to version 2026.2.0 or later, which includes the necessary authentication checks. If an immediate upgrade is not feasible, consider temporarily disabling the vulnerable webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) within the Discourse admin panel. Review your Discourse configuration to ensure that webhook tokens are properly configured and enforced. Monitor your Discourse logs for suspicious webhook activity, particularly unusual spikes in bounce rates or unauthorized requests to these endpoints. After upgrading, confirm the fix by attempting to manually trigger a webhook payload without proper authentication; it should be rejected.
Atualize o Discourse para a versão 2025.12.2, 2026.1.1 ou 2026.2.0 ou superior. Como alternativa, configure tokens de autenticação para todas as integrações de provedores de e-mail nas configurações do site (por exemplo, `sendgrid_verification_key`, `mailjet_webhook_token`, `postmark_webhook_token`, `sparkpost_webhook_token`). Não há uma solução alternativa para Mailpace antes de obter esta correção.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-26077 is a vulnerability in Discourse allowing unauthenticated attackers to forge webhook payloads, potentially disabling user emails. It affects versions ≤ 2026.2.0 and < 2026.2.0.
You are affected if you are running Discourse versions 2025.12.2 and earlier, 2026.1.1 and earlier, or 2026.2.0 and earlier, and are using webhooks.
Upgrade Discourse to version 2026.2.0 or later. As a temporary workaround, disable vulnerable webhook endpoints in the admin panel.
There is currently no evidence of active exploitation in the wild or publicly available proof-of-concept exploits.
Refer to the official Discourse security advisory on their website: [https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual URL)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.