Home

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

PUBLISHED Reserved 2026-06-11 | Published 2026-07-09 | Updated 2026-07-09 | Assigner GitHub_M




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-345: Insufficient Verification of Data Authenticity

Product status

>= 2026.5.0-latest, < 2026.5.1
affected

>= 2026.4.0-latest, < 2026.4.2
affected

>= 2026.1.0-latest, < 2026.1.5
affected

References

github.com/...course/security/advisories/GHSA-8f9m-v436-wr3x

github.com/...ommit/3a3d315a85ef3c6aabfc7e7bb38702059784f06b

github.com/...ommit/61f12e13aa1b760f81d5ff60f12e3a7e77434b94

github.com/...ommit/958f0cd831d65a49ec75f05343ca2c167679f0ea

github.com/...ommit/aea35190791261bab258ebab05da279e78cdd0e6

github.com/discourse/discourse/releases/tag/v2026.1.5

github.com/discourse/discourse/releases/tag/v2026.4.2

github.com/discourse/discourse/releases/tag/v2026.5.1

github.com/discourse/discourse/releases/tag/v2026.6.0

cve.org (CVE-2026-53961)

nvd.nist.gov (CVE-2026-53961)

Download JSON