CVE-2026-26077

{"id": "CVE-2026-26077", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-02-26T15:17:36.653", "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-j67c-53j2-4hfw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksController` accepted requests without a valid authentication token when no token was configured. This allowed unauthenticated attackers to forge webhook payloads and artificially inflate user bounce scores, potentially causing legitimate user emails to be disabled. The Mailpace endpoint had no token validation at all. Starting in versions 2025.12.2, 2026.1.1, and 2026.2.0, all webhook endpoints reject requests with a 406 response when no authentication token is configured. As a workaround, ensure that webhook authentication tokens are configured for all email provider integrations in site settings (e.g., `sendgrid_verification_key`, `mailjet_webhook_token`, `postmark_webhook_token`, `sparkpost_webhook_token`). There's no current workaround for mailpace before getting this fix."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Antes de las versiones 2025.12.2, 2026.1.1 y 2026.2.0, varios puntos finales de webhook (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) en el 'WebhooksController' aceptaban solicitudes sin un token de autenticaci\u00f3n v\u00e1lido cuando no se hab\u00eda configurado ning\u00fan token. Esto permit\u00eda a atacantes no autenticados falsificar cargas \u00fatiles de webhook e inflar artificialmente las puntuaciones de rebote de los usuarios, lo que podr\u00eda provocar la desactivaci\u00f3n de correos electr\u00f3nicos leg\u00edtimos de usuarios. El punto final de Mailpace no ten\u00eda ninguna validaci\u00f3n de token. A partir de las versiones 2025.12.2, 2026.1.1 y 2026.2.0, todos los puntos finales de webhook rechazan las solicitudes con una respuesta 406 cuando no hay un token de autenticaci\u00f3n configurado. Como soluci\u00f3n alternativa, aseg\u00farese de que los tokens de autenticaci\u00f3n de webhook est\u00e9n configurados para todas las integraciones de proveedores de correo electr\u00f3nico en la configuraci\u00f3n del sitio (p. ej., 'sendgrid_verification_key', 'mailjet_webhook_token', 'postmark_webhook_token', 'sparkpost_webhook_token'). No hay una soluci\u00f3n alternativa actual para Mailpace antes de obtener esta correcci\u00f3n."}], "lastModified": "2026-03-02T21:53:56.453", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DB837D7-28C8-4E0F-B55F-AAAA36F32035", "versionEndExcluding": "2025.12.0"}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CAFCC9D-53D7-4017-85A5-EE6CA5A6A11C", "versionEndExcluding": "2026.1.1", "versionStartIncluding": "2026.1.0"}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*", "vulnerable": true, "matchCriteriaId": "BB002FDC-BC71-4C46-8AAF-A34EC717E0E7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}