discourse-ai admin-initiated SSRF when interacting with AI services
Description
discourse-ai is the AI plugin for the open-source discussion platform Discourse. Prior to commit 94ba0dadc2cf38e8f81c3936974c167219878edd, interactions with different AI services are vulnerable to admin-initiated SSRF attacks. Versions of the plugin that include commit 94ba0dadc2cf38e8f81c3936974c167219878edd contain a patch. As a workaround, one may disable the discourse-ai plugin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: < 94ba0dadc2cf38e8f81c3936974c167219878edd
Patches
Vulnerability mechanics
Root cause
"The plugin did not properly sanitize or validate URLs when interacting with external AI services, allowing for Server-Side Request Forgery (SSRF)."
Attack vector
An administrator user can initiate requests to various AI services through the discourse-ai plugin. By manipulating the configuration or parameters related to these AI service endpoints, an attacker can trick the server into making requests to arbitrary internal or external network resources. This bypasses intended network restrictions and can lead to unauthorized access or data exfiltration [ref_id=1].
Affected code
The vulnerability exists in multiple locations within the `lib/completions` directory of the discourse-ai plugin. Specifically, the `perform_completion!`, `perform!`, and `tool` methods across various files were modified to use `FinalDestination::HTTP` and `FinalDestination::FaradayAdapter` instead of the standard `Net::HTTP` and `Faraday` libraries [ref_id=1].
What the fix does
The patch introduces a new class, `FinalDestination`, which is used to wrap HTTP requests made by the plugin. This new class, along with its `FaradayAdapter`, is designed to enforce stricter controls on network requests, preventing them from reaching unintended destinations. By replacing direct `Faraday.post` and `Net::HTTP.start` calls with this new mechanism, the plugin mitigates the SSRF vulnerability by ensuring that all outgoing requests are properly validated and restricted [ref_id=1].
Preconditions
- configThe discourse-ai plugin must be installed and configured with access to AI services.
- authThe attacker must have administrator privileges on the Discourse instance.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/discourse/discourse-ai/commit/94ba0dadc2cf38e8f81c3936974c167219878eddmitrex_refsource_MISC
- github.com/discourse/discourse-ai/security/advisories/GHSA-32cj-rm2q-22ccmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.