SSRF in Discourse

CVE-2026-33185

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (13.8th percentile) — read the EPSS interpretation.

Affected products

Discourse — versions >= 2026.1.0-latest, < 2026.1.3, >= 2026.2.0-latest, < 2026.2.2, >= 2026.3.0-latest, < 2026.3.0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/discourse/discourse/security/advisories/GHSA-5976-77mj-m4h3 (x_refsource_CONFIRM)
https://github.com/discourse/discourse/commit/e75cf456e8e318290c569bd6e8fa0f2586ffc530 (x_refsource_MISC)