Discourse: Unauthenticated attacker can trick users into visiting malicious sites

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

2.7

Discourse: Unauthenticated attacker can trick users into visiting malicious sites

CVE-2026-33427

Summary

An attacker can trick Discourse users into visiting a fake website that looks like a legitimate Discourse authorization page, potentially stealing sensitive information or causing users to install malware. This vulnerability affects older versions of Discourse and has been fixed in newer versions. Make sure to update to the latest version of Discourse to protect your users.

Original title

Original description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

nvd CVSS4.0 2.7

Vulnerability type

CWE-862 Missing Authorization

https://github.com/discourse/discourse/security/advisories/GHSA-9vhg-2mx3-mqfr

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026