CVE-2026-44784
Received Received - Intake
Information Disclosure in Discourse Group SMTP Credentials

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext via the group history log (/groups/:name/logs.json). Affected fields: email_password, email_username, smtp_server, smtp_port, smtp_ssl_mode. The most sensitive item is the SMTP password, which an owner could use to send mail as the group from outside Discourse. This impacts sites that have configured per-group SMTP credentials and granted group ownership to users who should not have access to those credentials. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-44784
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.4 (exc)
discourse discourse From 2026.3.0 (inc) to 2026.3.1 (exc)
discourse discourse From 2026.4.0 (inc) to 2026.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Discourse open-source discussion platform in certain versions before they were patched. It allows group owners, who are not necessarily admins or moderators, to view a group's outgoing email/SMTP credentials in plaintext through the group history log endpoint (/groups/:name/logs.json).

The exposed fields include email_password, email_username, smtp_server, smtp_port, and smtp_ssl_mode. The most critical exposure is the SMTP password, which could be used by a group owner to send emails as the group from outside the Discourse platform.

This issue occurs on sites that have configured per-group SMTP credentials and have granted group ownership to users who should not have access to those credentials. The vulnerability was fixed in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.

Impact Analysis

This vulnerability can impact you by exposing sensitive SMTP credentials to group owners who should not have access to them. With the SMTP password exposed, an unauthorized group owner could send emails impersonating the group from outside the Discourse platform.

This could lead to unauthorized email sending, potential phishing attacks, spam, or other malicious activities that damage the reputation of the group or organization.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Discourse installation to one of the patched versions: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.

Additionally, review the group ownership assignments to ensure that only trusted users have group owner privileges, especially for groups with configured per-group SMTP credentials.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44784. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart