CVE-2026-33185
Server-Side Request Forgery in Discourse Group Email Endpoint
Publication date: 2026-03-31
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | 2026.3.0 |
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.3 (exc) |
| discourse | discourse | From 2026.2.0 (inc) to 2026.2.2 (exc) |
| discourse | discourse | 2026.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33185 is a security vulnerability in the Discourse open-source discussion platform affecting certain versions before 2026.1.3, 2026.2.2, and 2026.3.0. It involves the group email settings test endpoint, which allowed non-staff group owners to make the server initiate outbound connections to arbitrary hosts and ports.
This flaw enables a Server-Side Request Forgery (SSRF) attack, where an attacker can use the server to probe internal network infrastructure or access internal resources that should not be reachable externally.
The vulnerability was fixed by restricting access to this endpoint to only group admins and moderators, adding SSRF detection to block connections to private or internal IP ranges, enforcing protocol validation, implementing rate limiting, and improving error handling.
How can this vulnerability impact me? :
This vulnerability allows an attacker with low privileges (non-staff group owner) to cause the Discourse server to initiate outbound connections to arbitrary hosts and ports.
As a result, an attacker can probe internal network infrastructure, potentially discovering sensitive internal services or cloud metadata endpoints that are not intended to be exposed.
The impact on confidentiality is considered low, as it mainly allows limited information disclosure through network probing. There is no direct impact on integrity or availability.
However, this can expose internal network details and potentially aid further attacks against internal systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the group email settings test endpoint in Discourse allowing outbound connections to arbitrary hosts and ports, which can be exploited for Server-Side Request Forgery (SSRF). Detection can focus on monitoring for unusual outbound SMTP connection attempts initiated by non-staff group owners.
To detect exploitation attempts, you can monitor network traffic for outbound SMTP connections to unexpected or internal IP addresses and ports originating from the Discourse server.
Suggested commands include:
- Using tcpdump or similar to capture outbound SMTP traffic: tcpdump -i <interface> 'tcp dst port 25 or tcp dst port 587 or tcp dst port 465'
- Checking active connections from the Discourse server: netstat -tnp | grep :25 or ss -tnp | grep :25
- Reviewing Discourse application logs for requests to the group email settings test endpoint that originate from non-staff group owners.
Additionally, since the vulnerability allows probing of internal network infrastructure, monitoring for unusual DNS resolutions or failed DNS lookups related to SMTP hosts may also help detect attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade Discourse to a patched version where this vulnerability is fixed.
- Upgrade to Discourse version 2026.1.3, 2026.2.2, or 2026.3.0 or later.
These versions include security fixes that restrict access to the SMTP test endpoint to only group admins and moderators, implement SSRF detection and blocking of disallowed IP addresses, enforce protocol validation, and add rate limiting to prevent abuse.
No effective workarounds other than upgrading are recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to initiate outbound connections to arbitrary hosts and ports, enabling probing of internal network infrastructure. This could potentially expose internal network details or metadata services, which may lead to limited information disclosure.
Such unauthorized network probing and potential information disclosure could negatively impact compliance with standards and regulations that require protection of internal infrastructure and sensitive data, such as GDPR and HIPAA. However, the provided information does not explicitly state the direct impact on compliance with these regulations.
Mitigation requires updating to patched versions of Discourse, which restrict access to the vulnerable endpoint and implement SSRF protections, thereby improving security posture and reducing risk of non-compliance.