CVE-2026-32113

EUVD-2026-17546

31.03.2026, 18:16

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_other_host: true without validating the destination URL. While this cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographically validated SSO payloads, cookies are client-controlled and can be set by attackers. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Affected Products (NVD)

Vendor	Product	Version
discourse	discourse	2026.1.0 ≤ 𝑥 < 2026.1.3
discourse	discourse	2026.2.0 ≤ 𝑥 < 2026.2.2
discourse	discourse	2026.3.0
discourse	discourse	2026.3.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://github.com/discourse/discourse/commit/080408b93d00305b51d71f63f755f43fa601884d

https://github.com/discourse/discourse/security/advisories/GHSA-378j-ccw4-4fwh

https://meta.discourse.org/t/using-discourse-as-a-sso-provider/32974

https://meta.discourse.org/t/use-discourse-as-an-identity-provider-sso-discourseconnect/32974