CVE-2026-26077
Received Received - Intake
Unauthenticated Webhook Access in Discourse Inflates Bounce Scores

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksController` accepted requests without a valid authentication token when no token was configured. This allowed unauthenticated attackers to forge webhook payloads and artificially inflate user bounce scores, potentially causing legitimate user emails to be disabled. The Mailpace endpoint had no token validation at all. Starting in versions 2025.12.2, 2026.1.1, and 2026.2.0, all webhook endpoints reject requests with a 406 response when no authentication token is configured. As a workaround, ensure that webhook authentication tokens are configured for all email provider integrations in site settings (e.g., `sendgrid_verification_key`, `mailjet_webhook_token`, `postmark_webhook_token`, `sparkpost_webhook_token`). There's no current workaround for mailpace before getting this fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-05-07
AI Q&A
2026-02-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-26077
EUVD
EUVD-2026-8854
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
discourse discourse to 2025.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "This vulnerability affects Discourse's webhook endpoints for several email providers (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the WebhooksController. Prior to certain fixed versions, these endpoints accepted requests without requiring a valid authentication token if no token was configured. This allowed unauthenticated attackers to forge webhook payloads."}, {'type': 'paragraph', 'content': 'Specifically, attackers could artificially inflate user bounce scores by sending forged webhook requests, which could lead to legitimate user emails being disabled. Additionally, the Mailpace webhook endpoint had no token validation at all, making it even more vulnerable.'}, {'type': 'paragraph', 'content': 'The issue was fixed by enforcing that all webhook endpoints reject requests without a valid authentication token, responding with HTTP status 406 when no token is configured.'}] [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing unauthenticated attackers to forge webhook payloads that artificially inflate user bounce scores.

As a result, legitimate user emails could be mistakenly disabled, potentially disrupting communication with users.

The impact affects the integrity and availability of the email system at a low level, but does not compromise confidentiality.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthenticated requests to Discourse webhook endpoints that lack valid authentication tokens. To detect exploitation attempts on your network or system, you can monitor incoming HTTP requests to the webhook endpoints for unusual or unauthorized access patterns.'}, {'type': 'paragraph', 'content': 'Specifically, look for requests to webhook URLs related to SendGrid, Mailjet, Mandrill, Postmark, SparkPost, and Mailpace that do not include valid authentication tokens or that receive HTTP 406 responses after patching.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to identify such requests. For example, using command-line tools like grep on your web server logs to find requests to webhook endpoints without valid tokens:'}, {'type': 'list_item', 'content': "grep -i 'webhooks/sendgrid' /var/log/nginx/access.log | grep -v 'token='"}, {'type': 'list_item', 'content': "grep -i 'webhooks/mailjet' /var/log/nginx/access.log | grep -v 'token='"}, {'type': 'list_item', 'content': "grep -i 'webhooks/mandrill' /var/log/nginx/access.log | grep -v 'token='"}, {'type': 'list_item', 'content': "grep -i 'webhooks/postmark' /var/log/nginx/access.log | grep -v 'token='"}, {'type': 'list_item', 'content': "grep -i 'webhooks/sparkpost' /var/log/nginx/access.log | grep -v 'token='"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected increases in user bounce scores or email delivery issues may indicate exploitation.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, ensure that webhook authentication tokens are configured for all email provider integrations in your Discourse site settings.

  • Configure the following tokens if applicable: sendgrid_verification_key, mailjet_webhook_token, postmark_webhook_token, sparkpost_webhook_token.

This configuration will enforce token validation and prevent unauthenticated requests from being accepted by the webhook endpoints.

Note that there is currently no workaround for the Mailpace webhook endpoint prior to applying the official patch.

Ultimately, apply the official Discourse security update to versions 2025.12.2, 2026.1.1, or 2026.2.0 as soon as possible, which enforces rejection of requests without valid tokens by returning HTTP 406 responses.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart