FKIE_CVE-2026-26077

Vulnerability from fkie_nvd - Published: 2026-02-26 15:17 - Updated: 2026-02-27 14:06
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Summary
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksController` accepted requests without a valid authentication token when no token was configured. This allowed unauthenticated attackers to forge webhook payloads and artificially inflate user bounce scores, potentially causing legitimate user emails to be disabled. The Mailpace endpoint had no token validation at all. Starting in versions 2025.12.2, 2026.1.1, and 2026.2.0, all webhook endpoints reject requests with a 406 response when no authentication token is configured. As a workaround, ensure that webhook authentication tokens are configured for all email provider integrations in site settings (e.g., `sendgrid_verification_key`, `mailjet_webhook_token`, `postmark_webhook_token`, `sparkpost_webhook_token`). There's no current workaround for mailpace before getting this fix.
References
security-advisories@github.comhttps://github.com/discourse/discourse/security/advisories/GHSA-j67c-53j2-4hfw
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksController` accepted requests without a valid authentication token when no token was configured. This allowed unauthenticated attackers to forge webhook payloads and artificially inflate user bounce scores, potentially causing legitimate user emails to be disabled. The Mailpace endpoint had no token validation at all. Starting in versions 2025.12.2, 2026.1.1, and 2026.2.0, all webhook endpoints reject requests with a 406 response when no authentication token is configured. As a workaround, ensure that webhook authentication tokens are configured for all email provider integrations in site settings (e.g., `sendgrid_verification_key`, `mailjet_webhook_token`, `postmark_webhook_token`, `sparkpost_webhook_token`). There\u0027s no current workaround for mailpace before getting this fix."
    },
    {
      "lang": "es",
      "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Antes de las versiones 2025.12.2, 2026.1.1 y 2026.2.0, varios puntos finales de webhook (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) en el \u0027WebhooksController\u0027 aceptaban solicitudes sin un token de autenticaci\u00f3n v\u00e1lido cuando no se hab\u00eda configurado ning\u00fan token. Esto permit\u00eda a atacantes no autenticados falsificar cargas \u00fatiles de webhook e inflar artificialmente las puntuaciones de rebote de los usuarios, lo que podr\u00eda provocar la desactivaci\u00f3n de correos electr\u00f3nicos leg\u00edtimos de usuarios. El punto final de Mailpace no ten\u00eda ninguna validaci\u00f3n de token. A partir de las versiones 2025.12.2, 2026.1.1 y 2026.2.0, todos los puntos finales de webhook rechazan las solicitudes con una respuesta 406 cuando no hay un token de autenticaci\u00f3n configurado. Como soluci\u00f3n alternativa, aseg\u00farese de que los tokens de autenticaci\u00f3n de webhook est\u00e9n configurados para todas las integraciones de proveedores de correo electr\u00f3nico en la configuraci\u00f3n del sitio (p. ej., \u0027sendgrid_verification_key\u0027, \u0027mailjet_webhook_token\u0027, \u0027postmark_webhook_token\u0027, \u0027sparkpost_webhook_token\u0027). No hay una soluci\u00f3n alternativa actual para Mailpace antes de obtener esta correcci\u00f3n."
    }
  ],
  "id": "CVE-2026-26077",
  "lastModified": "2026-02-27T14:06:37.987",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-26T15:17:36.653",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/discourse/discourse/security/advisories/GHSA-j67c-53j2-4hfw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.