CVE-2026-46413
Discourse: Regular users can route multipart uploads into the admin backup store
CVSS Score
6.5
EPSS Score
0.4%
EPSS Percentile
29th
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
| CWE | CWE-862 |
| Vendor | discourse |
| Product | discourse |
| Published | Jul 9, 2026 |
| Last Updated | Jul 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for discourse discourse
Be the first to know when new medium vulnerabilities affecting discourse discourse are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Affected Versions
discourse / discourse
>= 2026.1.0-latest, < 2026.1.5 >= 2026.4.0-latest, < 2026.4.2 >= 2026.5.0-latest, < 2026.5.1
References
github.com: https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7 github.com: https://github.com/discourse/discourse/commit/1f1ded8dd361d81786bff17b35e1138d6ee299c0 github.com: https://github.com/discourse/discourse/commit/7ddde266617b452152c1bf5f903f6c07be38fc40 github.com: https://github.com/discourse/discourse/commit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d github.com: https://github.com/discourse/discourse/commit/abaa664c5df84026efb2ca264ba0f5586c3f2b01 github.com: https://github.com/discourse/discourse/releases/tag/v2026.1.5 github.com: https://github.com/discourse/discourse/releases/tag/v2026.4.2 github.com: https://github.com/discourse/discourse/releases/tag/v2026.5.1 github.com: https://github.com/discourse/discourse/releases/tag/v2026.6.0