Discourse ReviewableQueuedPostSerializer raw_email leak 2026.13.0
CVE-2026-44780 Published on June 12, 2026
Discourse: Category queue reviewers can read raw incoming emails from queued posts
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts that arrived via incoming email. Category moderation group members reaching the review queue could therefore read the full inbound email source (headers, sender trace, MUA, body) without being in view_raw_email_allowed_groups the trust boundary that gates the dedicated raw-email endpoint. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Vulnerability Analysis
CVE-2026-44780 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2026-44780 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2026-44780
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version >= 2026.4.0-latest, < 2026.4.1 is affected.
- Version >= 2026.3.0-latest, < 2026.3.1 is affected.
- Version >= 2026.1.0-latest, < 2026.1.4 is affected.