CVE-2026-44787
Undergoing Analysis Undergoing Analysis - In Progress

Privilege Escalation in Discourse via Whisper Group Misconfiguration

Vulnerability report for CVE-2026-44787, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
discourse discourse to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized users to gain whisper-group privileges, which could lead to unauthorized access to private communications within the Discourse platform.

Such unauthorized access to restricted or private information could potentially violate data confidentiality requirements found in standards and regulations like GDPR or HIPAA, which mandate strict controls over access to personal or sensitive data.

However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with these or other common standards and regulations.

Executive Summary

This vulnerability affects the Discourse open-source discussion platform in versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. It allows newly registered users during the signup process to set the primary_group_id parameter and gain whisper-group privileges without actually being legitimate members of those groups on sites that have the whispers_allowed_groups configuration enabled.

Impact Analysis

An attacker exploiting this vulnerability could gain unauthorized access to whisper-group privileges, which are typically used for private or restricted communications within the Discourse platform. This unauthorized access could lead to information disclosure or unauthorized interactions within private groups, potentially compromising confidentiality.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Discourse installation to one of the fixed versions: 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5.

Detection Guidance

This vulnerability involves unauthorized assignment of the primary_group_id parameter during user signup in Discourse, allowing privilege escalation to whisper-group access. Detection would focus on identifying newly registered users who have been assigned a primary_group_id or flair_group_id without legitimate group membership.

Since the issue occurs during the signup process, monitoring signup requests for the presence of primary_group_id or flair_group_id parameters can help detect exploitation attempts.

Suggested commands or approaches include:

  • Review web server or application logs for signup POST requests containing primary_group_id or flair_group_id parameters.
  • Use grep or similar tools on access logs to search for suspicious signup parameters, for example:
  • grep -i 'primary_group_id' /path/to/discourse/logs/access.log
  • grep -i 'flair_group_id' /path/to/discourse/logs/access.log
  • Query the Discourse database to identify users with primary_group_id set who registered after a certain date, indicating potential exploitation.
  • Check the configuration of whispers_allowed_groups to understand if the site is vulnerable.

Note that the vulnerability is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, so ensuring your Discourse instance is updated is the best mitigation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart