CVE-2026-46413
Undergoing Analysis Undergoing Analysis - In Progress

Stored XSS in Discourse via S3 Multipart Upload

Vulnerability report for CVE-2026-46413, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
discourse discourse to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Discourse open-source discussion platform in versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. It allows regular users to route direct S3 multipart uploads through the ExternalUploadManager into the admin backup store, which is unintended behavior.

Impact Analysis

The vulnerability can impact you by allowing regular users to interfere with the admin backup storage through unauthorized S3 multipart uploads. This could lead to integrity issues since the CVSS score indicates a high impact on integrity, meaning attackers might be able to modify or corrupt data in the admin backup store.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Discourse installation to one of the fixed versions: 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5.

Compliance Impact

The vulnerability in Discourse allowed regular users to route multipart uploads into the admin backup store, bypassing access controls and potentially enabling unauthorized writes to backup storage.

This unauthorized access to backup data could lead to integrity issues or unauthorized modification of sensitive data, which may impact compliance with data protection regulations such as GDPR or HIPAA that require strict controls over data access and integrity.

By allowing non-admin users to upload data to the backup store, the vulnerability could undermine the confidentiality and integrity safeguards mandated by these standards, increasing the risk of data breaches or unauthorized data manipulation.

The patch enforces admin-only access to backup uploads, helping to restore compliance with such regulatory requirements by preventing unauthorized access to backup storage.

Detection Guidance

This vulnerability involves unauthorized multipart uploads routed to the admin backup store in Discourse. Detection would involve monitoring multipart upload requests to the backup storage endpoint and verifying if non-admin users are able to initiate such uploads.

Since the vulnerability allows regular users to bypass access controls, you can detect exploitation attempts by checking for multipart upload requests with the upload type set to "backup" coming from non-admin users.

Suggested commands or methods to detect this might include:

  • Review web server or application logs for multipart upload requests targeting backup storage endpoints.
  • Use grep or similar tools to search logs for keywords like "multipart upload" combined with "backup" and user identifiers that are not administrators.
  • Example command to search logs (adjust path and log format accordingly):
  • grep -i 'multipart upload' /var/log/discourse/access.log | grep -i 'backup' | grep -v 'admin'
  • Monitor HTTP response codes for 403 Forbidden responses on multipart backup upload endpoints, which indicate the patch is working correctly. Absence of such responses might indicate vulnerability.

Note that the vulnerability is fixed in Discourse versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. Ensuring your system is updated to these versions or later is the primary mitigation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart