CVE-2026-53961
MEDIUMDiscourse: Forged AWS SNS bounce notifications can disable a targeted user's email (missing TopicArn binding)
Title source: cnaDescription
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
References (9)
Core 9
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-8f9m-v436-wr3x
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/commit/3a3d315a85ef3c6aabfc7e7bb38702059784f06b
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/commit/61f12e13aa1b760f81d5ff60f12e3a7e77434b94
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/commit/958f0cd831d65a49ec75f05343ca2c167679f0ea
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/commit/aea35190791261bab258ebab05da279e78cdd0e6
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/releases/tag/v2026.1.5
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/releases/tag/v2026.4.2
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/releases/tag/v2026.5.1
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/releases/tag/v2026.6.0
Scores
CVSS v3
6.5
EPSS
0.0022
EPSS Percentile
12.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-345
Status
published
Products (3)
discourse/discourse
>= 2026.1.0-latest, < 2026.1.5
discourse/discourse
>= 2026.4.0-latest, < 2026.4.2
discourse/discourse
>= 2026.5.0-latest, < 2026.5.1
Published
Jul 09, 2026
Tracked Since
Jul 10, 2026