CVE-2026-33393
Received Received - Intake
Domain Suffix Bypass in Discourse Spam Host Validation

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection when `example.com` was allowlisted. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 require exact match or proper subdomain match (preceded by `.`) to prevent suffix-based bypass of `newuser_spam_host_threshold`. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33393
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Discourse installation to one of the fixed versions: 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

These versions include a fix that requires exact match or proper subdomain match (preceded by a dot) for the allowed_spam_host_domains check, preventing suffix-based bypass of the newuser_spam_host_threshold.

No known workarounds are available, so upgrading is the immediate and recommended step.

Executive Summary

This vulnerability affects the Discourse open-source discussion platform. Before certain fixed versions, the platform's spam protection check called `allowed_spam_host_domains` used a method that checked if a domain ended with an allowlisted domain without properly validating domain boundaries. This meant that malicious domains like `attacker-example.com` could bypass spam protection if `example.com` was on the allowlist, because the check only looked for a suffix match rather than an exact or proper subdomain match.

The issue was fixed in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 by requiring an exact match or a proper subdomain match (preceded by a dot) to prevent attackers from bypassing the spam host threshold protections.

Impact Analysis

This vulnerability can allow attackers to bypass spam protection mechanisms on Discourse platforms that have not been updated to the fixed versions. By exploiting the improper domain boundary validation, attackers can use malicious domains that appear similar to allowlisted domains to evade spam filters.

As a result, your platform could receive increased spam or malicious content from domains that should have been blocked, potentially degrading user experience and increasing moderation workload.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart