CVE-2026-45788 in Discourseinfo

Summary

by MITRE • 07/10/2026

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pull_hotlinked_images when an attacker knew the secured upload URL and the secure_uploads site setting was enabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability affects Discourse, an open-source discussion platform, where secure upload functionality can be bypassed through a flaw in the pull_hotlinked_images feature. This security weakness specifically impacts versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, creating a significant exposure risk when the secure_uploads site setting is enabled. The flaw allows attackers to access secured upload content by leveraging knowledge of specific upload URLs, effectively undermining the intended security controls.

The technical implementation of this vulnerability stems from improper access control mechanisms within Discourse's image handling system. When the pull_hotlinked_images feature processes external image references and encounters secured uploads, it fails to properly validate whether the requesting entity has legitimate authorization to access the protected content. This represents a classic access control weakness that aligns with CWE-285, which focuses on improper authorization in software systems. The vulnerability essentially allows an attacker with knowledge of a specific upload URL to bypass the normal authentication and authorization checks that should protect secure content.

The operational impact of this vulnerability extends beyond simple data exposure, as it creates potential vectors for information disclosure and content manipulation within discussion platforms. Attackers could potentially access sensitive user-generated content, private documents, or system-related assets that were intended to be protected by the secure uploads mechanism. This weakness directly violates the principle of least privilege and could enable further attack progression through lateral movement or credential harvesting from exposed content. The vulnerability affects organizations using Discourse for collaborative environments where content security is paramount.

Mitigation strategies should focus on immediate deployment of patched versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 as recommended by the vendor. Organizations should also implement additional monitoring for unauthorized access attempts to upload directories and consider implementing network-level restrictions on external image loading capabilities. Security teams should review existing access controls and ensure proper validation of all requests, particularly those involving content that was previously protected. The remediation aligns with ATT&CK technique T1078 which addresses valid accounts and privilege escalation, as the vulnerability essentially allows unauthorized access through legitimate system interfaces. Organizations should also conduct security assessments to identify any potential exploitation that may have occurred prior to patch deployment.

Responsible

GitHub M

Reservation

05/13/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!