Discourse ExternalUploadManager S3 PrivEsc pre-2026.6.0
CVE-2026-46413 Published on July 9, 2026
Discourse: Regular users can route multipart uploads into the admin backup store
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Vulnerability Analysis
CVE-2026-46413 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-46413 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-46413
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version >= 2026.1.0-latest, < 2026.1.5 is affected.
- Version >= 2026.4.0-latest, < 2026.4.2 is affected.
- Version >= 2026.5.0-latest, < 2026.5.1 is affected.