VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 12, 2026

CVE-2026-47263

CVE-2026-47263

Description

Discourse webhook redelivery endpointleaks full event payload to unauthorized users due to missing group_ids restriction.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Discourse webhook redelivery endpointleaks full event payload to unauthorized users due to missing group_ids restriction.

Vulnerability

The MessageBus.publish call for /web_hook_events/ in Jobs::RedeliverWebHookEvents did not pass group_ids, leaving the channel readable by any authenticated user (or anonymous user on instances where login_required is disabled). Webhook IDs are sequential integers and trivially enumerable. Affected versions include 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 [1].

Exploitation

An attacker only needs to be an authenticated user (or anonymous if login_required is disabled) to subscribe to the MessageBus channel for a given webhook event ID. The redelivery is triggered by an admin through the "redeliver"/"redeliver failed" UI, which queues the RedeliverWebHookEvents job. When the job executes, the full payload is published to the channel, and any subscriber can receive it. No additional privileges or user interaction beyond authentication are required [1].

Impact

A successful subscriber receives the full AdminWebHookEventSerializer JSON, including request URL, request headers, request body, response headers, and response body. This may expose private post bodies, user PII, or response data from third-party endpoints that the subscriber is not authorized to see. The impact is information disclosure of potentially sensitive data [1].

Mitigation

The issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Users should upgrade to one of these patched versions. No workaround is available other than upgrading [1].

References
  1. Prevent webhook payload disclosure on event redelivery

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
d66b27164ea2

SECURITY: Prevent webhook payload disclosure on event redelivery [backport 2026.4]

https://github.com/discourse/discourseJoffrey JAFFEUXMay 18, 2026Fixed in 2026.4.1via llm-release-walk
commit
2 files changed · +13 0
  • app/jobs/scheduled/redeliver_web_hook_events.rb+1 0 modified
    @@ -56,6 +56,7 @@ def publish_webhook_event(web_hook_event, web_hook, type)
           type: type,
           web_hook_event: AdminWebHookEventSerializer.new(web_hook_event, root: false).as_json,
         },
+        group_ids: [Group::AUTO_GROUPS[:staff]],
       )
     end
   end
  • spec/jobs/redeliver_web_hook_events_spec.rb+12 0 modified
    @@ -43,6 +43,18 @@
     expect(messages.first.data).to include(type: "redelivered")
   end
 
+  it "restricts the redelivery MessageBus publish to the staff group" do
+    stub_request(:post, web_hook.payload_url).to_return(status: 200, body: "", headers: {})
+
+    messages =
+      MessageBus.track_publish("/web_hook_events/#{web_hook.id}") do
+        job.execute(web_hook: web_hook, web_hook_event: web_hook_event1)
+      end
+
+    expect(messages.size).to eq(1)
+    expect(messages.first.group_ids).to eq([Group::AUTO_GROUPS[:staff]])
+  end
+
   context "when there is a redelivering_webhook_event in process" do
     fab!(:redelivering_webhook_event_in_process) do
       Fabricate(
85674c7ee5d7

SECURITY: Prevent webhook payload disclosure on event redelivery [backport 2026.1]

https://github.com/discourse/discourseJoffrey JAFFEUXMay 18, 2026Fixed in 2026.1.4via llm-release-walk
commit
2 files changed · +13 0
  • app/jobs/scheduled/redeliver_web_hook_events.rb+1 0 modified
    @@ -56,6 +56,7 @@ def publish_webhook_event(web_hook_event, web_hook, type)
           type: type,
           web_hook_event: AdminWebHookEventSerializer.new(web_hook_event, root: false).as_json,
         },
+        group_ids: [Group::AUTO_GROUPS[:staff]],
       )
     end
   end
  • spec/jobs/redeliver_web_hook_events_spec.rb+12 0 modified
    @@ -43,6 +43,18 @@
     expect(messages.first.data).to include(type: "redelivered")
   end
 
+  it "restricts the redelivery MessageBus publish to the staff group" do
+    stub_request(:post, web_hook.payload_url).to_return(status: 200, body: "", headers: {})
+
+    messages =
+      MessageBus.track_publish("/web_hook_events/#{web_hook.id}") do
+        job.execute(web_hook: web_hook, web_hook_event: web_hook_event1)
+      end
+
+    expect(messages.size).to eq(1)
+    expect(messages.first.group_ids).to eq([Group::AUTO_GROUPS[:staff]])
+  end
+
   context "when there is a redelivering_webhook_event in process" do
     fab!(:redelivering_webhook_event_in_process) do
       Fabricate(
211de17ca39d

DEV: Bump release branch to v2026.3.1

https://github.com/discourse/discourseDavid TaylorMay 18, 2026Fixed in 2026.3.1via release-tag
commit
1 file changed · +1 1
  • lib/version.rb+1 1 modified
    @@ -5,7 +5,7 @@ module Discourse
   unless defined?(::Discourse::VERSION)
     module VERSION #:nodoc:
       # Use the `version_bump:*` rake tasks to update this value
-      STRING = "2026.3.0"
+      STRING = "2026.3.1"
 
       PARTS = STRING.split(".")
       private_constant :PARTS

Vulnerability mechanics

Root cause

"Missing `group_ids` parameter in `MessageBus.publish` for webhook event redelivery channel allows any subscriber to receive sensitive payload data."

Attack vector

An authenticated user (or any anonymous user on instances where `login_required` is disabled) can subscribe to the MessageBus channel `/web_hook_events/<id>`. Because webhook IDs are sequential integers and trivially enumerable, an attacker can iterate through IDs to receive the redelivered webhook event payloads, which may contain sensitive data. The vulnerability is triggered with network access and no special privileges beyond a valid session or anonymous access.

Affected code

The vulnerability is in `app/jobs/scheduled/redeliver_web_hook_events.rb` within the `publish_webhook_event` method, specifically the `MessageBus.publish` call for channel `/web_hook_events/<id>` which did not pass `group_ids`, leaving the channel readable by any authenticated user (or any anonymous user when `login_required` is disabled). All three patches [patch_id=5750833, patch_id=5750831, patch_id=5750832] apply the same one-line fix to this file.

What the fix does

The patch adds `group_ids: [Group::AUTO_GROUPS[:staff]]` to the `MessageBus.publish` call in `publish_webhook_event` [patch_id=5750833]. This restricts the `/web_hook_events/<id>` channel so that only members of the staff group can receive published messages, preventing disclosure of webhook event payloads to regular users or unauthenticated visitors. The fix aligns the redelivery publisher with the access controls that are presumably already in place for the original webhook event channels.

Preconditions

  • authAttacker must have a valid user session (or the instance must have `login_required` disabled for anonymous access).
  • networkAttacker must be able to subscribe to MessageBus channels (network access to the Discourse instance).

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.