Discourse
Moderate fix3 remedies
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 2026.2.0-latest
- >= 2026.1.0-latest
Discourse Allowed Spam Host Domains Bypass Vulnerability
Vulnerability
Patched
A vulnerability in Discourse's spam protection mechanism allows certain domains to bypass filters. This issue arises because the `allowed_spam_host_domains` check improperly uses `String#end_with?` without validating domain boundaries. As a result, domains like `attacker-example.com` could evade spam detection if `example.com` was on the allowlist. The vulnerability is present in Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2.
Impact
Exploitation of this vulnerability allows for a bypass of spam protection, potentially leading to an increase in unwanted or harmful content being posted.
Reproduction
To reproduce this vulnerability, set the `allowed_spam_host_domains` site setting to `example.com` and the `newuser_spam_host_threshold` to `1`. Then, create a post containing a link to `attacker-example.com`. The post will be incorrectly allowed, demonstrating the bypass.
Remediation
Users can upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 to address this vulnerability.
Added: Mar 19, 2026, 10:20 PM
Updated: Mar 19, 2026, 10:20 PM
Vulnerability Rating
Custom Algorithm
spread
2.4impact
0.6exploitability
5.7remediation
7.7relevance
4.1threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.