HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44786Published Modified CNA GitHub_M

CVE-2026-44786: Discourse: Public chat MessageBus broadcasts are not restricted to chat-eligible users

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authorization bypass in Discourse's real-time messaging layer allows any authenticated or unauthenticated MessageBus subscriber to receive chat message payloads from public category channels without having chat access enabled. The flaw is reachable over the network with no credentials required, as described by the CVSS vector (AV:N/PR:N). Successful exploitation exposes the full content of real-time chat messages to any subscriber, resulting in unauthorized disclosure of conversation data. Patched-image rebuilds at versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-44786 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Discourse images. Any image carrying an affected Discourse version (2026.1.0-latest through the patched releases) is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector, and that score is weighted against each customer environment's compliance policy to determine urgency and routing. Triage findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the fixed versions (2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1, depending on the affected branch) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable MessageBus endpoint is exposed over the network, so an attacker must be able to reach the Discourse service remotely.

  • AuthenticationNot required

    No credentials are needed; the CVSS vector specifies PR:N, meaning any unauthenticated subscriber can receive the chat payloads.

  • Victim interactionNot required

    Exploitation is passive; the attacker simply subscribes to the MessageBus channel and receives chat events without any action from a victim user.

  • Attack complexityDetail

    Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special conditions, race timing, or environmental dependencies.

Blast Radius

  • Reads the full plaintext content of real-time chat messages posted to public category channels, including any sensitive information shared in those conversations.
  • Captures message metadata such as sender identity, timestamps, and channel context without any authorization check.
  • Enables passive, continuous surveillance of ongoing chat activity for as long as the subscription is maintained.

How HarborGuard Handles This

Available on HarborGuard: detection against all affected Discourse version ranges is active and matched continuously as images are pushed or rebuilt. Because fix versions (2026.1.4, 2026.3.1, 2026.4.1, 2026.5.0-latest.1) are now published, a patched-image rebuild is available the moment an affected image is identified in a customer environment. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the appropriate fix version, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy or organizational process requires manual approval, the rebuild artifact and PR are staged and held for review. Until a patched image is deployed, compensating controls to consider include network-policy rules that restrict external access to the MessageBus endpoint and feature-flag gating to disable public chat channels on affected instances.

See how HarborGuard automates this
Affected packages
  • discourse / discourse
    >= 2026.1.0-latest, < 2026.1.4 · >= 2026.3.0-latest, < 2026.3.1 · >= 2026.4.0-latest, < 2026.4.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References