CVE-2026-55420
Received Received - Intake

Remote Code Execution in Discourse via PDF Upload

Vulnerability report for CVE-2026-55420, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, under certain non-default configurations, processing of PDF uploads could be exploited to obtain RCE on the server. This issue is patched in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.5.0 (inc)
discourse discourse to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows remote code execution (RCE) on the server through processing of PDF uploads under certain non-default configurations. This can lead to unauthorized access, modification, or disruption of data and services.

Such unauthorized access and potential data compromise could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of confidentiality, integrity, and availability of sensitive data.

However, the provided information does not explicitly describe the direct effects on compliance or specific regulatory implications.

Executive Summary

CVE-2026-55420 is a remote code execution (RCE) vulnerability in the Discourse open-source discussion platform. It occurs in versions from 2026.1.0 up to 2026.5.0 under certain non-default configurations when processing PDF uploads. An attacker could exploit this vulnerability by uploading a specially crafted PDF file, which allows them to execute arbitrary code on the server hosting Discourse.

The vulnerability arises due to how PDF files are handled and processed, and it has been addressed by introducing stricter security policies for image processing and removing risky PDF-to-image processing features.

Impact Analysis

This vulnerability can have a significant impact as it allows an attacker to execute arbitrary code on the server remotely. This can lead to full compromise of the server, including unauthorized access to sensitive data, modification or deletion of data, disruption of service, and potentially using the server as a foothold to attack other systems.

The CVSS score of 7.5 indicates a high severity, with impacts on confidentiality, integrity, and availability. The attack requires low privileges and no user interaction but has high complexity.

Detection Guidance

This vulnerability arises from processing PDF uploads under certain non-default configurations in Discourse versions prior to the patched releases. Detection involves checking if your Discourse instance is running a vulnerable version (2026.1.0 through 2026.5.0) and if PDF uploads are allowed and processed.

Administrators can detect potential exploitation attempts by monitoring upload logs for suspicious PDF files or unusual activity related to PDF processing.

A practical detection step is to verify the allowed upload file types configuration to see if ".pdf" is included.

While no specific commands are provided in the resources, you can use commands like the following on the server hosting Discourse to check the version and configuration:

  • Check Discourse version: `cd /var/discourse && ./launcher enter app && discourse version`
  • Check allowed upload types in Discourse settings or configuration files for presence of ".pdf"
  • Monitor logs for PDF upload activity: `grep ".pdf" /var/discourse/shared/standalone/log/rails/production.log` (path may vary)
Mitigation Strategies

The primary mitigation is to upgrade Discourse to one of the patched versions: 2026.1.5, 2026.4.2, 2026.5.1, or 2026.6.0.

As a temporary workaround before upgrading, administrators can remove the ".pdf" extension from the list of allowed upload file types to prevent processing of PDF uploads that could trigger the vulnerability.

Additionally, the security hardening update restricts ImageMagick operations by enforcing a default-deny policy, allowing only necessary image formats and removing PDF-to-image processing in plugins, which reduces the attack surface.

Therefore, applying the security policy changes and upgrading to a patched version are recommended immediate steps.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55420. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart