CVE-2026-32113
MEDIUM WAF: Medium
CVSS 6.1
Published: 2026-03-31
CWE-601
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_other_host: true without validating the destination URL. While this cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographically validated SSO payloads, cookies are client-controlled and can be set by attackers. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
WAF Coverage Analysis
Open Redirect
Medium WAF Coverage
OWASP: A01:2021 Broken Access Control
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| discourse | discourse | 2026.1.0 - 2026.1.3 |
| discourse | discourse | 2026.2.0 - 2026.2.2 |
| discourse | discourse | 2026.3.0 |
| discourse | discourse | 2026.3.0 |
References
- github.com (Patch)
- github.com (Mitigation, Vendor Advisory)
- meta.discourse.org (Product)
- meta.discourse.org (Product)