Home

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

PUBLISHED Reserved 2026-05-13 | Published 2026-07-09 | Updated 2026-07-10 | Assigner GitHub_M




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-862: Missing Authorization

Product status

>= 2026.1.0-latest, < 2026.1.5
affected

>= 2026.4.0-latest, < 2026.4.2
affected

>= 2026.5.0-latest, < 2026.5.1
affected

References

github.com/...course/security/advisories/GHSA-3mvf-q9rg-w6m7

github.com/...ommit/1f1ded8dd361d81786bff17b35e1138d6ee299c0

github.com/...ommit/7ddde266617b452152c1bf5f903f6c07be38fc40

github.com/...ommit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d

github.com/...ommit/abaa664c5df84026efb2ca264ba0f5586c3f2b01

github.com/discourse/discourse/releases/tag/v2026.1.5

github.com/discourse/discourse/releases/tag/v2026.4.2

github.com/discourse/discourse/releases/tag/v2026.5.1

github.com/discourse/discourse/releases/tag/v2026.6.0

cve.org (CVE-2026-46413)

nvd.nist.gov (CVE-2026-46413)

Download JSON