CVE-2026-44787 in Discourseinfo

Summary

by MITRE • 07/10/2026

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability affects Discourse, an open-source discussion platform that enables community-driven content creation and collaboration. The security flaw existed in versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 where the user registration process contained a critical authorization bypass mechanism. The vulnerability specifically targeted the signup flow and allowed malicious actors or compromised users to manipulate group membership assignments during account creation.

The technical implementation of this flaw involved improper validation of group membership permissions within the user registration endpoint. When sites had whispers_allowed_groups configured, which typically restricts certain private communications to specific user groups, the system failed to verify that newly registered users actually belonged to these designated groups before assigning them primary_group_id values. This misconfiguration enabled attackers to directly set group IDs during signup, effectively granting unauthorized users whisper-group privileges without proper authentication or membership validation.

The operational impact of this vulnerability represents a significant privilege escalation threat within Discourse installations. An attacker could exploit this flaw to gain access to private communication channels and restricted content that should only be available to legitimate group members. This creates potential risks for organizations using Discourse for sensitive discussions, internal communications, or community management where whisper groups are used for confidential interactions between specific user roles or departments.

The vulnerability aligns with CWE-285 (Improper Authorization) and represents a classic case of insufficient input validation during user registration processes. From an adversarial perspective, this issue maps to ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) where attackers could leverage the registration flow to gain unauthorized access to restricted group resources. The fix implemented in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 involved strengthening the authorization checks during user creation to ensure that primary_group_id assignments are validated against legitimate group membership before being applied to new accounts.

Organizations using Discourse should immediately upgrade to the patched versions to prevent potential exploitation of this vulnerability. System administrators should also review existing user accounts for any suspicious group assignments and implement monitoring for unauthorized privilege changes. The mitigation strategy should include comprehensive testing of the registration flow and verification that all group membership assignments are properly validated against the underlying user authentication system to maintain proper access controls and prevent similar authorization bypass scenarios in other parts of the platform.

Responsible

GitHub M

Reservation

05/07/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!