Volerion logoVolerion
Volerion logoVolerion

Discourse Cache Poisoning Vulnerability via Missing Cache-Control Header in Error Responses

Vulnerability

A vulnerability exists in Discourse versions prior to 3.6.2 and 3.6.0.beta2, where error responses lacked the default Cache-Control header set to 'no-store, no-cache'. This omission could lead to unintended caching of these responses by proxies, potentially allowing for cache poisoning attacks. The vulnerability has been addressed in versions 3.6.2 and 3.6.0.beta2.

Impact

The absence of the Cache-Control header in error responses could result in unintended caching by proxies, creating a risk of cache poisoning attacks.

Reproduction

To reproduce this vulnerability, send a request to a Discourse server running a vulnerable version. When an error response is generated, such as a 404 Not Found or a 403 Forbidden due to invalid API key, the response will not include the 'Cache-Control' header. This can be verified by checking the response headers.

Remediation

Users can update to Discourse versions 3.6.2 or 3.6.0.beta2 to address this vulnerability.

Added: Oct 28, 2025, 9:23 PM
Updated: Oct 28, 2025, 9:23 PM

Vulnerability Rating

Custom Algorithm
spread
2.4
impact
0.6
exploitability
5.3
remediation
7.7
relevance
0.9
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.