Discourse Group Email Settings Endpoint Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Discourse, an open-source discussion platform. This issue affects versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. The vulnerability arises from the group email settings test endpoint, which allowed non-staff group owners to make the server initiate outbound connections to arbitrary hosts and ports. This could be exploited to probe internal network infrastructure. The vulnerability has been patched in the aforementioned versions.

Impact

Exploitation of this vulnerability allowed for unauthorized outbound connections from the server to internal hosts and ports, creating a server-side request forgery (SSRF) vulnerability. This could enable probing of internal network infrastructure, cloud metadata endpoints, and internal services.

Reproduction

To reproduce this vulnerability, a non-staff group owner can access the group email settings test endpoint. This can be done by sending a POST request to the endpoint with the group ID and the desired host:port combination. The server will then initiate an outbound connection to the specified address, bypassing any restrictions on internal IP addresses.

Remediation

Users are advised to update Discourse to version 2026.1.3, 2026.2.2, or 2026.3.0.