Discourse Webhooks Authentication Bypass Vulnerability Allowing Payload Forgery and User Bounce Score Manipulation

A vulnerability exists in Discourse webhook endpoints for SendGrid, Mailjet, Mandrill, Postmark, and SparkPost, prior to versions 2025.12.2, 2026.1.1, and 2026.2.0. These endpoints accepted requests without a valid authentication token when none was configured, allowing unauthenticated attackers to forge webhook payloads and artificially inflate user bounce scores, which could lead to the disabling of legitimate user emails. The Mailpace endpoint lacked any token validation. In the patched versions, all webhook endpoints now require an authentication token and will reject requests without one, responding with a 406 status. As a workaround, users can configure webhook authentication tokens for their email provider integrations, except for Mailpace, which currently has no workaround available.

Impact

Exploitation of this vulnerability could result in unauthorized payload forgery for the affected webhook endpoints, leading to manipulated user bounce scores and the potential disabling of legitimate user email accounts.

Remediation

Users should ensure that webhook authentication tokens are configured for all email provider integrations in the site settings. For the Mailpace endpoint, wait for the upcoming fix.