CVE-2026-53961
Undergoing Analysis Undergoing Analysis - In Progress

Email Bounce Forgery in Discourse via AWS SES Webhook

Vulnerability report for CVE-2026-53961, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
discourse discourse 2026.6.0
discourse discourse 2026.5.1
discourse discourse 2026.4.2
discourse discourse 2026.1.5
discourse discourse to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to forge AWS SNS bounce notifications that can revoke targeted user emails by increasing bounce scores, potentially disabling users from receiving important communications such as notifications or password resets.

Such unauthorized email revocation could impact compliance with standards like GDPR and HIPAA, which require maintaining secure and reliable communication channels with users and protecting user data integrity.

If user emails are revoked without proper authorization, it could lead to denial of service to users, affecting their rights to access information and communications, which are critical under these regulations.

The vulnerability highlights the importance of validating and restricting trusted sources of bounce notifications to prevent unauthorized actions that could compromise user communication and data handling compliance.

Executive Summary

This vulnerability affects the Discourse open-source discussion platform prior to versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. The issue lies in the AWS SES bounce webhook at the POST /webhooks/aws endpoint. While the webhook verified that SNS messages were signed by Amazon, it did not ensure that these messages were bound to trusted TopicArn values. This flaw allowed any AWS account holder to publish validly signed but forged Bounce notifications, which could revoke a targeted user's email.

Impact Analysis

The vulnerability allows attackers to send forged Bounce notifications that appear to be legitimately signed by Amazon. This can lead to the revocation of targeted user emails, potentially disrupting communication with those users. The impact includes integrity loss and availability issues, as indicated by the CVSS score, which rates the impact on integrity and availability as low but does not affect confidentiality.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Discourse installation to one of the fixed versions: 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5.

This update ensures that the AWS SES bounce webhook properly binds SNS messages to trusted TopicArn values, preventing attackers from publishing forged Bounce notifications.

Detection Guidance

This vulnerability can be detected by checking if your Discourse instance's /webhooks/aws endpoint is accepting AWS SNS bounce notifications without restricting the allowed SNS TopicARNs. Specifically, you should verify whether the new site setting `aws_sns_topic_arn_allowlist` is configured to restrict which SNS topics can send bounce notifications.

Additionally, Discourse includes a dashboard problem flag that alerts self-hosted admins if their SMTP configuration appears to be Amazon SES but the allowlist setting has not been set. Monitoring this dashboard flag can help detect the vulnerability.

To detect suspicious activity on your system or network, you can monitor incoming POST requests to the /webhooks/aws endpoint and check for SNS messages signed by AWS but originating from untrusted TopicARNs.

While no specific commands are provided in the resources, general detection steps include:

  • Inspect web server logs for POST requests to /webhooks/aws from unexpected or unknown SNS TopicARNs.
  • Use AWS CloudTrail or SNS subscription logs to verify which SNS topics are subscribed to your webhook URL.
  • Check Discourse site settings for the presence and configuration of `aws_sns_topic_arn_allowlist`.
  • Look for bounce notifications in Discourse logs or database that do not correspond to legitimate AWS SNS topics.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53961. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart