Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability affects Discourse's webhook endpoints for several email providers (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the WebhooksController. Prior to certain fixed versions, these endpoints accepted requests without requiring a valid authentication token if no token was configured. This allowed unauthenticated attackers to forge webhook payloads."}, {'type': 'paragraph', 'content': 'Specifically, attackers could artificially inflate user bounce scores by sending forged webhook requests, which could lead to legitimate user emails being disabled. Additionally, the Mailpace webhook endpoint had no token validation at all, making it even more vulnerable.'}, {'type': 'paragraph', 'content': 'The issue was fixed by enforcing that all webhook endpoints reject requests without a valid authentication token, responding with HTTP status 406 when no token is configured.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to forge webhook payloads that artificially inflate user bounce scores.

As a result, legitimate user emails could be mistakenly disabled, potentially disrupting communication with users.

The impact affects the integrity and availability of the email system at a low level, but does not compromise confidentiality.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthenticated requests to Discourse webhook endpoints that lack valid authentication tokens. To detect exploitation attempts on your network or system, you can monitor incoming HTTP requests to the webhook endpoints for unusual or unauthorized access patterns.'}, {'type': 'paragraph', 'content': 'Specifically, look for requests to webhook URLs related to SendGrid, Mailjet, Mandrill, Postmark, SparkPost, and Mailpace that do not include valid authentication tokens or that receive HTTP 406 responses after patching.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to identify such requests. For example, using command-line tools like grep on your web server logs to find requests to webhook endpoints without valid tokens:'}, {'type': 'list_item', 'content': "grep -i 'webhooks/sendgrid' /var/log/nginx/access.log | grep -v 'token='"}, {'type': 'list_item', 'content': "grep -i 'webhooks/mailjet' /var/log/nginx/access.log | grep -v 'token='"}, {'type': 'list_item', 'content': "grep -i 'webhooks/mandrill' /var/log/nginx/access.log | grep -v 'token='"}, {'type': 'list_item', 'content': "grep -i 'webhooks/postmark' /var/log/nginx/access.log | grep -v 'token='"}, {'type': 'list_item', 'content': "grep -i 'webhooks/sparkpost' /var/log/nginx/access.log | grep -v 'token='"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected increases in user bounce scores or email delivery issues may indicate exploitation.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, ensure that webhook authentication tokens are configured for all email provider integrations in your Discourse site settings.

• Configure the following tokens if applicable: sendgrid_verification_key, mailjet_webhook_token, postmark_webhook_token, sparkpost_webhook_token.

This configuration will enforce token validation and prevent unauthenticated requests from being accepted by the webhook endpoints.

Note that there is currently no workaround for the Mailpace webhook endpoint prior to applying the official patch.

Ultimately, apply the official Discourse security update to versions 2025.12.2, 2026.1.1, or 2026.2.0 as soon as possible, which enforces rejection of requests without valid tokens by returning HTTP 406 responses.

Useful 0 Not Useful 0