{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33185", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.720Z", "datePublished": "2026-03-31T17:41:44.893Z", "dateUpdated": "2026-04-01T13:47:00.577Z"}, "containers": {"cna": {"title": "Discourse: Group SMTP test endpoint susceptible to SSRF", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-5976-77mj-m4h3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-5976-77mj-m4h3"}, {"name": "https://github.com/discourse/discourse/commit/e75cf456e8e318290c569bd6e8fa0f2586ffc530", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/e75cf456e8e318290c569bd6e8fa0f2586ffc530"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.3", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.2", "status": "affected"}, {"version": ">= 2026.3.0-latest, < 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:41:44.893Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "source": {"advisory": "GHSA-5976-77mj-m4h3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T13:46:51.051012Z", "id": "CVE-2026-33185", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:47:00.577Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33185", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T13:46:51.051012Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:46:55.592Z"}}], "cna": {"title": "Discourse: Group SMTP test endpoint susceptible to SSRF", "source": {"advisory": "GHSA-5976-77mj-m4h3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.3"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.2"}, {"status": "affected", "version": ">= 2026.3.0-latest, < 2026.3.0"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-5976-77mj-m4h3", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-5976-77mj-m4h3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/e75cf456e8e318290c569bd6e8fa0f2586ffc530", "name": "https://github.com/discourse/discourse/commit/e75cf456e8e318290c569bd6e8fa0f2586ffc530", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:41:44.893Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33185", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:47:00.577Z", "dateReserved": "2026-03-17T22:16:36.720Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T17:41:44.893Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal network infrastructure. The endpoint was accessible to non-staff group owners. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "id": "CVE-2026-33185", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T18:16:52.113", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/e75cf456e8e318290c569bd6e8fa0f2586ffc530"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-5976-77mj-m4h3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.3.0-latest,2026.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-31T19:36:17.696639+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to Discourse version 2026.1.3, 2026.2.2, or 2026.3.0 or later."], "summary": {"action": "Patch immediately", "impact": "Server-side request forgery allowing arbitrary outbound connections"}, "threat_synthesis": {"affected_systems": "The flaw affects the Discourse open\u2011source discussion platform. Versions that are vulnerable include 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0 prior to 2026.3.0. The affected product is properly named Discourse; no additional vendor names are required.", "description_and_impact": "The vulnerability occurs in Discourse\u2019s group email settings test endpoint, which can be used to force the server to initiate outbound HTTP or SMTP connections to any host and port. This can enable an attacker to probe internal network hosts and services, exposing service listings and potentially mapping network topology. The weakness is a classic SSRF flaw (CWE\u2011918); it does not provide code execution or privilege escalation but can compromise confidentiality and help in lateral reconnaissance. The CVSS score of 5.3 indicates medium severity. The attack path requires reaching the test endpoint, which is accessible to any user who owns a group but is not a staff member.", "risk_and_exploitability": "The CVSS score places the issue at medium risk. EPSS data is not available, but the fact that the endpoint is reachable from any non\u2011staff group owner suggests that exploitation is plausible in environments where users can create or own groups. The vulnerability is not listed in the CISA KEV catalog, so publicly known exploits are not documented. Attackers could initiate arbitrary outbound connections from the Discourse server, potentially leaking internal IPs and service ports. No direct exploit conditions beyond accessing the test endpoint are specified; therefore the exploitation likelihood is moderate."}}}}, "created": "2026-03-31T19:53:37.281911+00:00", "updated": "2026-03-31T20:37:32.512248+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}