Description
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Problem types
CWE-862: Missing Authorization
Product status
>= 2026.4.0-latest, < 2026.4.2
>= 2026.5.0-latest, < 2026.5.1
References
github.com/...course/security/advisories/GHSA-3mvf-q9rg-w6m7
github.com/...ommit/1f1ded8dd361d81786bff17b35e1138d6ee299c0
github.com/...ommit/7ddde266617b452152c1bf5f903f6c07be38fc40
github.com/...ommit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d
github.com/...ommit/abaa664c5df84026efb2ca264ba0f5586c3f2b01
github.com/discourse/discourse/releases/tag/v2026.1.5
github.com/discourse/discourse/releases/tag/v2026.4.2
github.com/discourse/discourse/releases/tag/v2026.5.1
github.com/discourse/discourse/releases/tag/v2026.6.0