CVE-2026-33185
Received Received - Intake
Server-Side Request Forgery in Discourse Group Email Endpoint

Publication date: 2026-03-31

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33185
EUVD
EUVD-2026-17571
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
discourse discourse 2026.3.0
discourse discourse From 2026.1.0 (inc) to 2026.1.3 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.2 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized users to initiate outbound connections to arbitrary hosts and ports, enabling probing of internal network infrastructure. This could potentially expose internal network details or metadata services, which may lead to limited information disclosure.

Such unauthorized network probing and potential information disclosure could negatively impact compliance with standards and regulations that require protection of internal infrastructure and sensitive data, such as GDPR and HIPAA. However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Mitigation requires updating to patched versions of Discourse, which restrict access to the vulnerable endpoint and implement SSRF protections, thereby improving security posture and reducing risk of non-compliance.

Executive Summary

CVE-2026-33185 is a security vulnerability in the Discourse open-source discussion platform affecting certain versions before 2026.1.3, 2026.2.2, and 2026.3.0. It involves the group email settings test endpoint, which allowed non-staff group owners to make the server initiate outbound connections to arbitrary hosts and ports.

This flaw enables a Server-Side Request Forgery (SSRF) attack, where an attacker can use the server to probe internal network infrastructure or access internal resources that should not be reachable externally.

The vulnerability was fixed by restricting access to this endpoint to only group admins and moderators, adding SSRF detection to block connections to private or internal IP ranges, enforcing protocol validation, implementing rate limiting, and improving error handling.

Impact Analysis

This vulnerability allows an attacker with low privileges (non-staff group owner) to cause the Discourse server to initiate outbound connections to arbitrary hosts and ports.

As a result, an attacker can probe internal network infrastructure, potentially discovering sensitive internal services or cloud metadata endpoints that are not intended to be exposed.

The impact on confidentiality is considered low, as it mainly allows limited information disclosure through network probing. There is no direct impact on integrity or availability.

However, this can expose internal network details and potentially aid further attacks against internal systems.

Detection Guidance

This vulnerability involves the group email settings test endpoint in Discourse allowing outbound connections to arbitrary hosts and ports, which can be exploited for Server-Side Request Forgery (SSRF). Detection can focus on monitoring for unusual outbound SMTP connection attempts initiated by non-staff group owners.

To detect exploitation attempts, you can monitor network traffic for outbound SMTP connections to unexpected or internal IP addresses and ports originating from the Discourse server.

Suggested commands include:

  • Using tcpdump or similar to capture outbound SMTP traffic: tcpdump -i <interface> 'tcp dst port 25 or tcp dst port 587 or tcp dst port 465'
  • Checking active connections from the Discourse server: netstat -tnp | grep :25 or ss -tnp | grep :25
  • Reviewing Discourse application logs for requests to the group email settings test endpoint that originate from non-staff group owners.

Additionally, since the vulnerability allows probing of internal network infrastructure, monitoring for unusual DNS resolutions or failed DNS lookups related to SMTP hosts may also help detect attempts.

Mitigation Strategies

The primary and recommended mitigation is to upgrade Discourse to a patched version where this vulnerability is fixed.

  • Upgrade to Discourse version 2026.1.3, 2026.2.2, or 2026.3.0 or later.

These versions include security fixes that restrict access to the SMTP test endpoint to only group admins and moderators, implement SSRF detection and blocking of disallowed IP addresses, enforce protocol validation, and add rate limiting to prevent abuse.

No effective workarounds other than upgrading are recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart