CVE-2021-3138

HIGH

Discourse 2.7.0-beta1 - Two-Factor Authentication Bypass via Rate-Limit Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-3138. PoCs published by Mesh3l911.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2021-3138, a rate limit bypass vulnerability in Discourse 2.7.0 that leads to 2FA bypass. The exploit sends multiple authentication requests to bypass rate limits and brute-force backup codes.

Description

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.

Exploits (1)

nomisec WORKING POC 1 stars
by Mesh3l911 · poc
https://github.com/Mesh3l911/CVE-2021-3138

The repository contains functional exploit code for CVE-2021-3138, a rate limit bypass vulnerability in Discourse 2.7.0 that leads to 2FA bypass. The exploit sends multiple authentication requests to bypass rate limits and brute-force backup codes.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Discourse 2.7.0
Auth required
Prerequisites: Valid username and password · Access to target Discourse instance · CSRF token and session cookie · List of backup codes (for brute-forcing)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/discourse/discourse/releases
Third Party Advisory x_refsource_misc
https://github.com/Mesh3l911/Disource
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/162256/Discourse-2.7.0-2FA-Bypass.html

Scores

CVSS v3 7.5
EPSS 0.0307
EPSS Percentile 85.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-307
Status published
Products (2)
discourse/discourse 2.7.0 beta1
discourse/discourse < 2.6.0
Published Jan 14, 2021
Tracked Since Feb 18, 2026