CVE-2026-44779
Description
Discourse bot debug endpoints leak whisper translation audit logs; fixed in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Discourse bot debug endpoints leak whisper translation audit logs; fixed in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0.
Vulnerability
In Discourse, from versions 2026.1.0 up to but not including 2026.1.4, 2026.3.0 up to but not including 2026.3.1, and 2026.4.0 up to but not including 2026.4.1, the bot debug endpoints inadvertently disclose whisper translation audit logs. This occurs due to insufficient access control on these debugging interfaces [1].
Exploitation
An attacker with network access to the vulnerable Discourse instance can request the bot debug endpoints to retrieve whisper translation audit logs. No authentication or user interaction is explicitly required based on the available disclosure [1].
Impact
Successful exploitation results in the unauthorized disclosure of whisper translation audit logs, which may contain sensitive or private conversation content. This affects the confidentiality of the system but does not impact integrity or availability [1].
Mitigation
The vulnerability has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Users are advised to upgrade to one of these fixed versions immediately. No workarounds have been disclosed in the available reference [1].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=2026.1.0, <2026.1.4 || >=2026.3.0, <2026.3.1 || >=2026.4.0, <2026.4.1
Patches
485674c7ee5d7SECURITY: Prevent webhook payload disclosure on event redelivery [backport 2026.1]
2 files changed · +13 −0
app/jobs/scheduled/redeliver_web_hook_events.rb+1 −0 modified@@ -56,6 +56,7 @@ def publish_webhook_event(web_hook_event, web_hook, type) type: type, web_hook_event: AdminWebHookEventSerializer.new(web_hook_event, root: false).as_json, }, + group_ids: [Group::AUTO_GROUPS[:staff]], ) end end
spec/jobs/redeliver_web_hook_events_spec.rb+12 −0 modified@@ -43,6 +43,18 @@ expect(messages.first.data).to include(type: "redelivered") end + it "restricts the redelivery MessageBus publish to the staff group" do + stub_request(:post, web_hook.payload_url).to_return(status: 200, body: "", headers: {}) + + messages = + MessageBus.track_publish("/web_hook_events/#{web_hook.id}") do + job.execute(web_hook: web_hook, web_hook_event: web_hook_event1) + end + + expect(messages.size).to eq(1) + expect(messages.first.group_ids).to eq([Group::AUTO_GROUPS[:staff]]) + end + context "when there is a redelivering_webhook_event in process" do fab!(:redelivering_webhook_event_in_process) do Fabricate(
ec5d54b32917DEV: Bump release branch to v2026.1.4
1 file changed · +1 −1
lib/version.rb+1 −1 modified@@ -7,7 +7,7 @@ module Discourse unless defined?(::Discourse::VERSION) module VERSION #:nodoc: # Use the `version_bump:*` rake tasks to update this value - STRING = "2026.1.3" + STRING = "2026.1.4" PARTS = STRING.split(".") private_constant :PARTS
6bb9b59d5d3fDEV: Bump release branch to v2026.4.1
1 file changed · +1 −1
lib/version.rb+1 −1 modified@@ -5,7 +5,7 @@ module Discourse unless defined?(::Discourse::VERSION) module VERSION #:nodoc: # Use the `version_bump:*` rake tasks to update this value - STRING = "2026.4.0" + STRING = "2026.4.1" PARTS = STRING.split(".") private_constant :PARTS
211de17ca39dDEV: Bump release branch to v2026.3.1
1 file changed · +1 −1
lib/version.rb+1 −1 modified@@ -5,7 +5,7 @@ module Discourse unless defined?(::Discourse::VERSION) module VERSION #:nodoc: # Use the `version_bump:*` rake tasks to update this value - STRING = "2026.3.0" + STRING = "2026.3.1" PARTS = STRING.split(".") private_constant :PARTS
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
1News mentions
0No linked articles in our index yet.