{"api_version":"1","generated_at":"2026-07-10T18:11:18+00:00","cve":"CVE-2026-46413","urls":{"html":"https://cve.report/CVE-2026-46413","api":"https://cve.report/api/cve/CVE-2026-46413.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46413","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46413"},"summary":{"title":"Discourse: Regular users can route multipart uploads into the admin backup store","description":"Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-09 22:17:05","updated_at":"2026-07-10 15:53:08"},"problem_types":["CWE-862","CWE-862 CWE-862: Missing Authorization"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/discourse/discourse/releases/tag/v2026.5.1","name":"https://github.com/discourse/discourse/releases/tag/v2026.5.1","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/commit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d","name":"https://github.com/discourse/discourse/commit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7","name":"https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/commit/7ddde266617b452152c1bf5f903f6c07be38fc40","name":"https://github.com/discourse/discourse/commit/7ddde266617b452152c1bf5f903f6c07be38fc40","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/releases/tag/v2026.6.0","name":"https://github.com/discourse/discourse/releases/tag/v2026.6.0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/commit/1f1ded8dd361d81786bff17b35e1138d6ee299c0","name":"https://github.com/discourse/discourse/commit/1f1ded8dd361d81786bff17b35e1138d6ee299c0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/commit/abaa664c5df84026efb2ca264ba0f5586c3f2b01","name":"https://github.com/discourse/discourse/commit/abaa664c5df84026efb2ca264ba0f5586c3f2b01","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/releases/tag/v2026.1.5","name":"https://github.com/discourse/discourse/releases/tag/v2026.1.5","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/releases/tag/v2026.4.2","name":"https://github.com/discourse/discourse/releases/tag/v2026.4.2","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46413","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46413","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"discourse","product":"discourse","version":"affected >= 2026.1.0-latest, < 2026.1.5","platforms":[]},{"source":"CNA","vendor":"discourse","product":"discourse","version":"affected >= 2026.4.0-latest, < 2026.4.2","platforms":[]},{"source":"CNA","vendor":"discourse","product":"discourse","version":"affected >= 2026.5.0-latest, < 2026.5.1","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-46413","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-10T14:32:30.407572Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-10T14:32:39.498Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"discourse","vendor":"discourse","versions":[{"status":"affected","version":">= 2026.1.0-latest, < 2026.1.5"},{"status":"affected","version":">= 2026.4.0-latest, < 2026.4.2"},{"status":"affected","version":">= 2026.5.0-latest, < 2026.5.1"}]}],"descriptions":[{"lang":"en","value":"Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862: Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-09T21:55:45.096Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7","tags":["x_refsource_CONFIRM"],"url":"https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7"},{"name":"https://github.com/discourse/discourse/commit/1f1ded8dd361d81786bff17b35e1138d6ee299c0","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/1f1ded8dd361d81786bff17b35e1138d6ee299c0"},{"name":"https://github.com/discourse/discourse/commit/7ddde266617b452152c1bf5f903f6c07be38fc40","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/7ddde266617b452152c1bf5f903f6c07be38fc40"},{"name":"https://github.com/discourse/discourse/commit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/a53df26dcf7e50ce2b20bfd5454a0c9d44b8fc7d"},{"name":"https://github.com/discourse/discourse/commit/abaa664c5df84026efb2ca264ba0f5586c3f2b01","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/abaa664c5df84026efb2ca264ba0f5586c3f2b01"},{"name":"https://github.com/discourse/discourse/releases/tag/v2026.1.5","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/releases/tag/v2026.1.5"},{"name":"https://github.com/discourse/discourse/releases/tag/v2026.4.2","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/releases/tag/v2026.4.2"},{"name":"https://github.com/discourse/discourse/releases/tag/v2026.5.1","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/releases/tag/v2026.5.1"},{"name":"https://github.com/discourse/discourse/releases/tag/v2026.6.0","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/releases/tag/v2026.6.0"}],"source":{"advisory":"GHSA-3mvf-q9rg-w6m7","discovery":"UNKNOWN"},"title":"Discourse: Regular users can route multipart uploads into the admin backup store"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-46413","datePublished":"2026-07-09T21:55:45.096Z","dateReserved":"2026-05-13T21:04:10.933Z","dateUpdated":"2026-07-10T14:32:39.498Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-09 22:17:05","lastModifiedDate":"2026-07-10 15:53:08","problem_types":["CWE-862","CWE-862 CWE-862: Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-10T14:32:30.407572Z","id":"CVE-2026-46413","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46413","Ordinal":"1","Title":"Discourse: Regular users can route multipart uploads into the ad","CVE":"CVE-2026-46413","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46413","Ordinal":"1","NoteData":"Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.","Type":"Description","Title":"Discourse: Regular users can route multipart uploads into the ad"}]}}}