Discourse 2026.x Whispers Reply Auth Bypass
CVE-2026-44783 Published on June 12, 2026
Discourse: Replying to a whisper lets non-whisperers create staff-only whisper posts
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Vulnerability Analysis
CVE-2026-44783 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-44783 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2026-44783
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version >= 2026.1.0-latest, < 2026.1.4 is affected.
- Version >= 2026.3.0-latest, < 2026.3.1 is affected.
- Version >= 2026.4.0-latest, < 2026.4.1 is affected.