VYPR
Vypr IntelligenceAI-generatedJun 12, 2026· 11 CVEs

Discourse: 11 Bugs Patched in Coordinated June 12 Release, Including Chat MessageBus Authorization Flaw

Eleven security vulnerabilities — ten Medium, one High — were patched in Discourse on June 12, 2026, spanning authorization bypasses, information disclosure, and privilege escalation across core, Chat, AI, and backup-handling components.

Key findings

  • 11 CVEs disclosed together on June 12, 2026 across Discourse core and plugins
  • One High-severity bug (CVE-2026-44786, CVSS 7.5) in Chat MessageBus scoping
  • Chat plugin accounted for four authorization/disclosure issues (CVE-2026-45085)
  • Group owners can read SMTP credentials in plaintext (CVE-2026-44784, CVSS 6.5)
  • Path traversal in backup handling affects multisite deployments (CVE-2026-45775)
  • Patched in 2026.1.4, 2026.3.1, 2026.4.1, plus 2026.5.0-beta for one bug

Discourse, the open-source discussion platform, has addressed 11 security vulnerabilities in a coordinated batch disclosed on June 12, 2026. The issues span authorization bypasses, information disclosure, and privilege escalation across core and plugin components, affecting versions in the 2026.1.x, 2026.3.x, 2026.4.x, and (in one case) pre-release 2026.5.0-beta branches. Discourse users are urged to update to patched versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-beta (for the bot audit-log issue).

Authorization & Information Disclosure in Chat and Calendar

The largest cluster involves four authorization and disclosure flaws in the Chat plugin, one also touching discourse-calendar. CVE-2026-45085 (CVSS 5.3) covers all four: read-only category users could create chat threads, send messages, or see thread titles in channels they should only observe. Separately, CVE-2026-44786 (CVSS 7.5, the batch's only High-severity bug) exposes chat events for public category channels via MessageBus without permission scoping, meaning any MessageBus subscriber can see chat events even if chat is disabled for their account.

Tag & Serializer Visibility Leaks

CVE-2026-47264 (CVSS 5.3) allowed DetailedTagSerializer#tag_group_names to return every tag group a tag belonged to without filtering for the requesting user's visibility — effectively leaking tag-group membership to unauthorized users. CVE-2026-44782 (CVSS 4.3) stemmed from a misnamed predicate in GroupPostSerializer: the serializer declared include_user_long_name? but Active Model Serializers looks for include_name?, causing the :name attribute to be silently omitted from serialization in some contexts, potentially leaking data through fallback behavior.

Webhook & Email Credential Exposure

CVE-2026-47263 (CVSS 4.3) describes a MessageBus channel scoping issue — Jobs::RedeliverWebHookEvents published to /web_hook_events/<id> without passing group_ids, leaving the channel readable by any subscriber. CVE-2026-44784 (CVSS 6.5) is more serious: group owners (who may not be admins or moderators) can view the group's outgoing email/SMTP credentials in plaintext through the group history log, a clear violation of the principle of least privilege.

Path Traversal & Whisper Post Flaws

CVE-2026-45775 (CVSS 6.8) introduces a path traversal vulnerability in Discourse's backup handling. An authenticated administrator on one site in a multisite deployment could potentially read or write backup files belonging to another site on the same instance. Meanwhile, CVE-2026-44783 (CVSS 5.4) in core's whisper-post mechanism allows authenticated users outside the configured whispers_allowed_groups to post replies to whisper messages — a classic authorization bypass in the reply handler.

AI Helper & Queue Serializer & Bot Audit Logs

CVE-2026-44785 (CVSS 4.3) targets the AI "explain" helper: it checks can_see? on the post being explained but not on its reply_to_post, so any authenticated user with AI access can view the content of a replied-to post they otherwise lack permission to see. CVE-2026-44780 (CVSS 4.3) made ReviewableQueuedPostSerializer unconditionally include payload["raw_email"] for queued posts arriving via incoming email, leaking raw email content to category moderation groups. Finally, CVE-2026-44779 (CVSS 4.3) exposes whisper translation audit logs through bot debug endpoints — patched in 2026.5.0-beta as well as the stable branches.

Response & Patch Guidance

All 11 CVEs were fixed in concurrent releases across three stable branches: Discourse 2026.1.4, 2026.3.1, and 2026.4.1. The bot debug endpoint issue (CVE-2026-44779) additionally received a fix in 2026.5.0-beta. No CVEs in this batch are reported as exploited in the wild at time of disclosure. Administrators running multisite deployments, enabling the Chat plugin, or using AI features should prioritize updating — the chat-MessageBus scoping bug (CVE-2026-44786) earned a 7.5 CVSS score for its low-complexity, network-based attack vector. As with previous Discourse security batches, the vendor has released no workarounds; full patching is the only recommended course.

AI-written article. Grounded in 11 CVE records listed below.