Listen to this Post
Technical
Discourse is an open-source discussion platform that integrates with AWS Simple Email Service (SES) for email delivery. To handle email bounces (undeliverable messages), Discourse implements a webhook endpoint at `POST /webhooks/aws` that listens for Amazon SNS notifications from SES. When an email bounces, SES publishes a Bounce notification to an SNS topic, which then forwards it to the configured webhook URL. Upon receiving such a notification, Discourse revokes the email address of the targeted user to prevent future delivery attempts.
The vulnerability exists because the webhook verifies only that incoming SNS messages are cryptographically signed by Amazon—using the standard SNS signature validation—but fails to validate that the `TopicArn` (the Amazon Resource Name of the SNS topic that published the message) belongs to a trusted, pre-configured topic owned by the Discourse instance administrator. This missing binding allows any AWS account holder to create their own SNS topic, publish a validly signed Bounce notification (SNS signing is available to all AWS users), and send it to the vulnerable webhook endpoint. Since the signature validation passes, Discourse accepts the forged notification as legitimate and proceeds to revoke the email address of the targeted user, effectively denying that user email delivery.
The attack requires no forum account, no user interaction, and can be performed remotely over the network. The only prerequisite is that the target Discourse instance must have the AWS SES webhook enabled and exposed, and the attacker must know or guess the target user’s email address. The vulnerability affects all Discourse versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. The issue is classified as an Improper Access Control (CWE-284) and has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L.
DailyCVE Form:
Platform: Discourse
Version: <2026.1.5, <2026.4.2, <2026.5.1, <2026.6.0
Vulnerability: AWS SES Bypass
Severity: MEDIUM (CVSS 6.5)
date: 2026-07-09
Prediction: 2026-07-14
What Undercode Say:
Analytics & Bash Commands
Check if your Discourse instance uses AWS SES for email delivery:
rails console SiteSetting.email_delivery_method => "ses" if vulnerable
Verify the configured SNS topic ARN for the bounce webhook:
rails console SiteSetting.ses_sns_topic_arn
List all registered webhook endpoints (including the vulnerable /webhooks/aws):
curl -X GET "https://your-discourse.com/admin/api/plugins/webhooks" \ -H "Api-Key: YOUR_API_KEY" \ -H "Api-Username: system"
Simulate a forged SNS Bounce notification (proof-of-concept payload):
curl -X POST "https://your-discourse.com/webhooks/aws" \
-H "Content-Type: application/json" \
-d '{
"Type": "Notification",
"Message": "{\"notificationType\":\"Bounce\",\"bounce\":{\"bouncedRecipients\":[{\"emailAddress\":\"[email protected]\"}]},\"mail\":{\"destination\":[\"[email protected]\"]}}",
"TopicArn": "arn:aws:sns:us-east-1:ATTACKER_ACCOUNT:fake-topic",
"SignatureVersion": "1",
"Signature": "VALID_SIGNATURE_FROM_AMAZON"
}'
Check audit logs for unauthorized bounce events:
grep "webhooks.aws" /var/log/discourse/logs/production.log | grep Bounce
Exploit:
An attacker with any AWS account can:
- Create an SNS topic in their own AWS account.
- Publish a properly formatted Bounce notification to that topic, specifying the victim’s email address in the `bouncedRecipients` field.
- The SNS service automatically signs the message using Amazon’s standard signing process.
- The attacker forwards the signed notification to the target Discourse `/webhooks/aws` endpoint.
- Discourse verifies the Amazon signature (which passes) but does not check if the `TopicArn` matches the trusted topic configured by the administrator.
- The forged Bounce is accepted, and Discourse immediately revokes the victim’s email address, disabling all future email communications from the platform to that user.
No authentication, no forum account, and no user interaction are required. The attack can be automated and scaled to target multiple users simultaneously.
Protection:
- Immediate: Upgrade Discourse to 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5 or later.
- Workaround: If upgrading is not immediately possible, manually configure the webhook to validate the `TopicArn` against a hardcoded list of trusted ARNs before processing any bounce notification.
- Additional: Restrict network access to the `/webhooks/aws` endpoint to only allow requests originating from AWS SNS IP ranges (available via AWS
ip-ranges.json). - Monitoring: Enable audit logging for all webhook requests and set up alerts for unexpected bounce events or requests from untrusted SNS topics.
Impact:
- Integrity (Low): An attacker can falsely mark a user’s email as bouncing, leading to incorrect revocation of email delivery.
- Availability (Low): Targeted users lose the ability to receive email notifications, password reset links, and other critical communications from the Discourse instance, effectively denying service for that user.
- No Confidentiality Impact: The vulnerability does not expose or leak any user data.
- Widespread Applicability: Any Discourse instance using AWS SES with SNS for bounce handling is vulnerable. The attack requires no privileges and can be executed remotely, making it easily exploitable at scale.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

