CVE-2026-44786
Last modified
CVE-2026-44786 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. EPSS estimates a 0.26% chance of exploitation in the next 30 days.
Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 2026.1.0 |
| Discourse | Discourse | >= 2026.1.0, < 2026.1.4 |
| Discourse | Discourse | >= 2026.3.0, < 2026.3.1 |
| Discourse | Discourse | >= 2026.4.0, < 2026.4.1 |
| Discourse | Discourse | 2026.5.0 |
References
- https://github.com/discourse/discourse/security/advisories/GHSA-j7wq-rf5c-8783Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-44786?
How severe is CVE-2026-44786?
How do I fix CVE-2026-44786?
Are you affected by CVE-2026-44786?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST