CVE-2022-21684 is a medium-severity authentication vulnerability affecting Discourse, an open-source discussion platform widely used for online communities and forums. The flaw exists in versions prior to 2.7.13 (stable) and 2.8.0.beta11 (beta and tests-passed branches). When the 'must_approve_users' setting is enabled, which is designed to require administrator approval before new users can log in, invited users can bypass this restriction. Specifically, a user invited via email can automatically log in to the community before receiving approval, effectively circumventing the intended access control mechanism. This improper authentication (CWE-287) allows the invited user to perform all actions available to approved users during their initial session. However, if the user logs out, they cannot log back in without approval, limiting the persistence of the unauthorized access. The vulnerability arises because the system fails to enforce the approval check during the initial login of invited users. The issue has been patched in Discourse stable version 2.7.13 and beta versions 2.8.0.beta11. As a temporary mitigation, administrators can disable invites or increase the 'min_trust_level_to_allow_invite' setting to restrict invitations to more trusted users, thereby reducing the attack surface. No known exploits have been reported in the wild, but the vulnerability could be leveraged by malicious actors to gain unauthorized access to community forums, potentially exposing sensitive discussions or administrative functions.

For European organizations using Discourse to host internal or external community forums, this vulnerability could lead to unauthorized access by unapproved users, compromising confidentiality and integrity of forum content. Attackers could exploit this flaw to access sensitive discussions, intellectual property, or user data that is otherwise restricted. The ability to perform actions as an approved user could also allow manipulation of forum content, dissemination of misinformation, or social engineering attacks targeting legitimate users. Although the vulnerability does not allow persistent unauthorized access after logout, the initial session access could be sufficient for data exfiltration or disruption. Organizations in sectors such as education, government, technology, and finance that rely on Discourse for collaboration or customer engagement may face reputational damage and regulatory compliance issues if sensitive information is exposed. The impact on availability is limited, as the vulnerability does not directly affect system stability or uptime.

1. Upgrade Discourse installations to at least version 2.7.13 (stable) or 2.8.0.beta11 (beta) immediately to apply the official patch addressing this vulnerability. 2. Temporarily disable the invitation feature if upgrading is not immediately feasible, to prevent unapproved users from bypassing login restrictions. 3. Increase the 'min_trust_level_to_allow_invite' setting to restrict the ability to send invitations to highly trusted users only, reducing the risk of malicious invitations. 4. Monitor user invitation logs and access patterns for unusual activity, such as unexpected logins from invited users prior to approval. 5. Implement additional access controls or multi-factor authentication for sensitive forums to mitigate risks from unauthorized access. 6. Educate forum administrators and moderators about the vulnerability and encourage prompt review of new user approvals and invitations. 7. Regularly audit Discourse configurations and user permissions to ensure compliance with security best practices.