Discourse Vulnerability Allows Network Probing via Email Settings
CVE Notify is flagging a security flaw in the popular open-source discussion platform, Discourse. The vulnerability, tracked as CVE-2026-33185, revolves around the group email settings test endpoint. According to CVE Notify, this endpoint could be exploited by non-staff group owners to force the Discourse server into initiating outbound connections to arbitrary hosts and ports. The potential here is significant: attackers could leverage this to probe internal network infrastructure, effectively mapping out targets behind firewalls.
The affected versions span several release lines, including specific ranges within 2026.1.0 through 2026.3.0. CVE Notify points out that the issue was present in versions 2026.1.0-latest up to but not including 2026.1.3, 2026.2.0-latest up to but not including 2026.2.2, and 2026.3.0-latest up to but not including 2026.3.0. Fortunately, patches are available. Discourse has addressed this by releasing updates 2026.1.3, 2026.2.2, and 2026.3.0, which rectify the vulnerability.
What This Means For You
- Given that non-staff group owners could trigger this network probing, review and restrict the privileges assigned to group owners within your Discourse instance. Limit this role to only trusted individuals who require it for legitimate administrative functions.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33185 | SSRF | Discourse versions 2026.1.0-latest to 2026.1.3, 2026.2.0-latest to 2026.2.2, and 2026.3.0-latest to 2026.3.0. Vulnerable component: group email settings test endpoint. Allows outbound connections to arbitrary hosts and ports, enabling internal network probing. Accessible to non-staff group owners. |
| CVE-2026-33185 | Information Disclosure | Discourse versions 2026.1.0-latest to 2026.1.3, 2026.2.0-latest to 2026.2.2, and 2026.3.0-latest to 2026.3.0. Vulnerable component: group email settings test endpoint. Allows probing of internal network infrastructure. |