CVE-2022-39356
HIGHDiscourse < 2.8.10 - Unauthenticated Account Takeover via Unscoped Invitation Link
Title source: llmDescription
Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses.
References (2)
Core 2
Core References
Patch, Third Party Advisory
https://github.com/discourse/discourse/pull/18817
Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278
Scores
CVSS v3
8.9
EPSS
0.0032
EPSS Percentile
55.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-285
Status
published
Products (2)
discourse/discourse
2.9.0 beta1 (10 CPE variants)
discourse/discourse
< 2.8.10
Published
Nov 02, 2022
Tracked Since
Feb 18, 2026