Description
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
Problem types
CWE-345: Insufficient Verification of Data Authenticity
Product status
>= 2026.4.0-latest, < 2026.4.2
>= 2026.1.0-latest, < 2026.1.5
References
github.com/...course/security/advisories/GHSA-8f9m-v436-wr3x
github.com/...ommit/3a3d315a85ef3c6aabfc7e7bb38702059784f06b
github.com/...ommit/61f12e13aa1b760f81d5ff60f12e3a7e77434b94
github.com/...ommit/958f0cd831d65a49ec75f05343ca2c167679f0ea
github.com/...ommit/aea35190791261bab258ebab05da279e78cdd0e6
github.com/discourse/discourse/releases/tag/v2026.1.5
github.com/discourse/discourse/releases/tag/v2026.4.2
github.com/discourse/discourse/releases/tag/v2026.5.1
github.com/discourse/discourse/releases/tag/v2026.6.0