๐Ÿ” CVE Alert

CVE-2026-46413

MEDIUM 6.5

Discourse: Regular users can route multipart uploads into the admin backup store

CVSS Score
6.5
EPSS Score
0.4%
EPSS Percentile
29th

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CWE CWE-862
Vendor discourse
Product discourse
Published Jul 9, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for discourse discourse

Be the first to know when new medium vulnerabilities affecting discourse discourse are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Affected Versions

discourse / discourse
>= 2026.1.0-latest, < 2026.1.5 >= 2026.4.0-latest, < 2026.4.2 >= 2026.5.0-latest, < 2026.5.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7 github.com: https://github.com/discourse/discourse/commit/1f1ded8dd361d81786bff17b35e1138d6ee299c0 github.com: https://github.com/discourse/discourse/commit/7ddde266617b452152c1bf5f903f6c07be38fc40 github.com: https://github.com/discourse/discourse/commit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d github.com: https://github.com/discourse/discourse/commit/abaa664c5df84026efb2ca264ba0f5586c3f2b01 github.com: https://github.com/discourse/discourse/releases/tag/v2026.1.5 github.com: https://github.com/discourse/discourse/releases/tag/v2026.4.2 github.com: https://github.com/discourse/discourse/releases/tag/v2026.5.1 github.com: https://github.com/discourse/discourse/releases/tag/v2026.6.0