BIT-discourse-2026-45788: Discourse: Secure uploads exposed by hotlinked image copying
Discourse versions prior to 2026.1.5, 2026.4.2, and 2026.5.1 have a vulnerability where secure uploads could be exposed via the pull_hotlinked_images feature if an attacker knew the secured upload URL and the secure_uploads setting was enabled. This issue allows unauthorized access to uploads intended to be secure. The vulnerability is fixed in versions 2026.1.5, 2026.4.2, and 2026.5.1 and later.
AI Analysis
Technical Summary
Discourse, an open-source discussion platform, had a vulnerability identified as CVE-2026-45788 affecting versions prior to 2026.1.5, 2026.4.2, and 2026.5.1. The issue involves the pull_hotlinked_images functionality exposing secure uploads when the secure_uploads site setting is enabled and an attacker knows the secured upload URL. This exposure could lead to unauthorized access to files meant to be protected. The vulnerability has been addressed and fixed in the specified later versions.
Potential Impact
The vulnerability allows an attacker who knows the secured upload URL to access secure uploads that should be protected by the secure_uploads setting. This could lead to unauthorized disclosure of potentially sensitive uploaded content. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
Upgrade Discourse to versions 2026.1.5, 2026.4.2, 2026.5.1, or later where this vulnerability is fixed. No other mitigation is indicated by the vendor advisory.
BIT-discourse-2026-45788: Discourse: Secure uploads exposed by hotlinked image copying
Description
Discourse versions prior to 2026.1.5, 2026.4.2, and 2026.5.1 have a vulnerability where secure uploads could be exposed via the pull_hotlinked_images feature if an attacker knew the secured upload URL and the secure_uploads setting was enabled. This issue allows unauthorized access to uploads intended to be secure. The vulnerability is fixed in versions 2026.1.5, 2026.4.2, and 2026.5.1 and later.
Affected software
pkg:bitnami/discourseRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Discourse, an open-source discussion platform, had a vulnerability identified as CVE-2026-45788 affecting versions prior to 2026.1.5, 2026.4.2, and 2026.5.1. The issue involves the pull_hotlinked_images functionality exposing secure uploads when the secure_uploads site setting is enabled and an attacker knows the secured upload URL. This exposure could lead to unauthorized access to files meant to be protected. The vulnerability has been addressed and fixed in the specified later versions.
Potential Impact
The vulnerability allows an attacker who knows the secured upload URL to access secure uploads that should be protected by the secure_uploads setting. This could lead to unauthorized disclosure of potentially sensitive uploaded content. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
Upgrade Discourse to versions 2026.1.5, 2026.4.2, 2026.5.1, or later where this vulnerability is fixed. No other mitigation is indicated by the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- BIT-discourse-2026-45788
- Osv Schema Version
- 1.6.2
- Aliases
- ["CVE-2026-45788"]
- Ecosystems
- ["Bitnami"]
- Database Specific Severity
- Medium
- Cvss Version
- null
Threat ID: 6a58b51a68715ace43db45b5
Added to database: 07/16/2026, 10:40:26 UTC
Last enriched: 07/16/2026, 14:30:11 UTC
Last updated: 07/17/2026, 00:26:16 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.