{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33393", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.169Z", "datePublished": "2026-03-19T22:04:26.484Z", "dateUpdated": "2026-03-20T20:15:16.294Z"}, "containers": {"cna": {"title": "Discourse fixes loose hostname matching in spam host allowlist", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-95r5-p6qr-hgw6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-95r5-p6qr-hgw6"}, {"name": "https://github.com/discourse/discourse/commit/80b19c15fe9c7bc890d1a54f454c8446312ac6d2", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/80b19c15fe9c7bc890d1a54f454c8446312ac6d2"}, {"name": "https://github.com/discourse/discourse/commit/d8467b9fbb3d9ed6047b4e508d3fef88a37b8a02", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/d8467b9fbb3d9ed6047b4e508d3fef88a37b8a02"}, {"name": "https://github.com/discourse/discourse/commit/f99099cfbc6b76fe39d6fa2daa48efd69497fb8e", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/f99099cfbc6b76fe39d6fa2daa48efd69497fb8e"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:04:26.484Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection when `example.com` was allowlisted. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 require exact match or proper subdomain match (preceded by `.`) to prevent suffix-based bypass of `newuser_spam_host_threshold`. No known workarounds are available."}], "source": {"advisory": "GHSA-95r5-p6qr-hgw6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T20:15:06.393968Z", "id": "CVE-2026-33393", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:15:16.294Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33393", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T20:15:06.393968Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:15:12.725Z"}}], "cna": {"title": "Discourse fixes loose hostname matching in spam host allowlist", "source": {"advisory": "GHSA-95r5-p6qr-hgw6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": "= 2026.3.0-latest"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-95r5-p6qr-hgw6", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-95r5-p6qr-hgw6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/80b19c15fe9c7bc890d1a54f454c8446312ac6d2", "name": "https://github.com/discourse/discourse/commit/80b19c15fe9c7bc890d1a54f454c8446312ac6d2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/d8467b9fbb3d9ed6047b4e508d3fef88a37b8a02", "name": "https://github.com/discourse/discourse/commit/d8467b9fbb3d9ed6047b4e508d3fef88a37b8a02", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/f99099cfbc6b76fe39d6fa2daa48efd69497fb8e", "name": "https://github.com/discourse/discourse/commit/f99099cfbc6b76fe39d6fa2daa48efd69497fb8e", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection when `example.com` was allowlisted. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 require exact match or proper subdomain match (preceded by `.`) to prevent suffix-based bypass of `newuser_spam_host_threshold`. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:04:26.484Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33393", "state": "PUBLISHED", "dateUpdated": "2026-03-20T20:15:16.294Z", "dateReserved": "2026-03-19T17:02:34.169Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:04:26.484Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `allowed_spam_host_domains` check used `String#end_with?` without domain boundary validation, allowing domains like `attacker-example.com` to bypass spam protection when `example.com` was allowlisted. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 require exact match or proper subdomain match (preceded by `.`) to prevent suffix-based bypass of `newuser_spam_host_threshold`. No known workarounds are available."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Antes de las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2, la verificaci\u00f3n 'allowed_spam_host_domains' utilizaba 'String#end_with?' sin validaci\u00f3n de l\u00edmites de dominio, lo que permit\u00eda que dominios como 'attacker-example.com' eludieran la protecci\u00f3n contra el correo no deseado cuando 'example.com' estaba en lista blanca. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 requieren una coincidencia exacta o una coincidencia de subdominio adecuada (precedida por '.') para evitar la elusi\u00f3n basada en sufijos de 'newuser_spam_host_threshold'. No hay soluciones alternativas conocidas disponibles."}], "id": "CVE-2026-33393", "lastModified": "2026-03-24T20:41:57.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:42.497", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/80b19c15fe9c7bc890d1a54f454c8446312ac6d2"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/d8467b9fbb3d9ed6047b4e508d3fef88a37b8a02"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/f99099cfbc6b76fe39d6fa2daa48efd69497fb8e"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-95r5-p6qr-hgw6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-24T21:32:49.230253+00:00", "value": {"mitigation_remediation": ["Upgrade Discourse to a patched version (2026.3.0 or later, 2026.2.1, or 2026.1.2)."], "summary": {"action": "Update", "impact": "Spam bypass"}, "threat_synthesis": {"affected_systems": "The issue affects the Discourse open\u2011source discussion platform. Versions before 2026.3.0-latest.1, before 2026.2.1, and before 2026.1.2 are vulnerable. All installations of these releases are susceptible; upgrading to any of the patched versions removes the flaw.", "description_and_impact": "The vulnerability lies in the spam host allowlist logic of Discourse\u2019s spam protection. Prior to the patched release, the code used a simple string suffix check (String#end_with?) to determine if an email domain matched an allowlisted domain. This allowed attacker\u2011controlled domains such as attacker-example.com to match an allowlist entry for example.com, bypassing the newuser_spam_host_threshold and enabling the attacker to send spam messages through the platform. The weakness is a sign\u2011in\u2011communication boundary flaw (CWE\u2011284). The direct consequence is that spam filtering is weakened, potentially allowing malicious content to reach users or consuming server resources.", "risk_and_exploitability": "The CVSS score of 4.3 suggests a moderate impact, and the EPSS score of less than 1% indicates a low likelihood of exploitation. Discourse has not catalogued this issue in the CISA KEV list, so it is not known to be actively exploited. Exploitation would require an attacker to have influence over the spam domain allowlist or rely on an existing allowlist entry; it is inferred that a remote attacker could use the issued domain to bypass spam checks. Because no active exploitation is documented, administrators should treat the risk as low but mitigate promptly."}}}}, "created": "2026-03-20T08:55:22.332376+00:00", "updated": "2026-03-25T11:54:30.955631+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}