CVE-2026-33393

Summary

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the allowed_spam_host_domains check used String#end_with? without domain boundary validation, allowing domains like attacker-example.com to bypass spam protection when example.com was allowlisted. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 require exact match or proper subdomain match (preceded by .) to prevent suffix-based bypass of newuser_spam_host_threshold. No known workarounds are available.

Affected Software

VendorProductVersion RangeStatus
discoursediscourse>= 2026.1.0-latest, < 2026.1.2affected
discoursediscourse>= 2026.2.0-latest, < 2026.2.1affected
discoursediscourse= 2026.3.0-latestaffected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References