BIT-discourse-2026-53961

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-53961.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-discourse-2026-53961
Aliases
Published
2026-07-15T15:56:21.593Z
Modified
2026-07-15T16:27:43.898160669Z
Summary
Discourse: Forged AWS SNS bounce notifications can disable a targeted user's email (missing TopicArn binding)
Details

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

Database specific
{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / discourse

Package

Name
discourse
Purl
pkg:bitnami/discourse

Severity

  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
2026.1.0
Fixed
2026.1.5
Introduced
2026.4.0
Fixed
2026.4.2
Introduced
2026.5.0
Fixed
2026.5.1

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-53961.json"