CVE-2026-44783

MEDIUM

Discourse: Replying to a whisper lets non-whisperers create staff-only whisper posts

Title source: cna

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/discourse/discourse/security/advisories/GHSA-98ch-mgfj-wqpw

Scores

CVSS v3 5.4

EPSS 0.0014

EPSS Percentile 3.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

discourse/discourse >= 2026.1.0-latest, < 2026.1.4

discourse/discourse >= 2026.3.0-latest, < 2026.3.1

discourse/discourse >= 2026.4.0-latest, < 2026.4.1

Published Jun 12, 2026

Tracked Since Jun 13, 2026