Listen to this Post
Technical Deep Dive
CVE-2026-45788 is an improper access control vulnerability in Discourse, an open‑source discussion platform. The flaw resides in the `pull_hotlinked_images` functionality, which is responsible for fetching and caching externally hosted images that users embed in posts. When the site‑wide setting `secure_uploads` is enabled, all uploaded files—including those retrieved via hotlinking—are supposed to be protected by access controls, ensuring that only authorised users can view them.
However, the vulnerability arises because `pull_hotlinked_images` does not properly re‑apply the same authorisation checks when it copies a hotlinked image into Discourse’s secure storage. In a typical flow, when a user submits a post containing an external image URL, the server downloads that image, stores it locally, and then rewrites the post’s HTML to point to the new local URL. This local URL is generated using a predictable pattern and includes a secure token that is meant to restrict access.
An attacker who knows the exact secure upload URL of a previously hotlinked image—for instance, by guessing the token or by obtaining it through other means—can request that resource directly. Because `pull_hotlinked_images` does not verify that the requesting user has the necessary permissions to view that specific file, the server serves the image without any additional authorisation. This effectively bypasses the `secure_uploads` protection, turning a supposedly private file into a publicly accessible resource.
The issue is exacerbated by the fact that the `secure_uploads` setting is often enabled on sites that handle sensitive content, such as private communities or enterprise forums. The attack requires no authentication, as the endpoint that serves the uploaded files does not enforce a session check when the URL is known. The impact is limited to information disclosure (confidentiality), but the severity is rated High (CVSS 3.1 base score 7.5) because the attack vector is network‑based, the attack complexity is low, and no privileges are required. The vulnerability affects all Discourse versions before 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. Patches were released on July 9, 2026, and administrators are strongly urged to upgrade immediately.
DailyCVE Form
| Field | Value |
|–|–|
| Platform | Discourse |
| Version | < 2026.6.0 / 2026.5.1 / 2026.4.2 / 2026.1.5 |
| Vulnerability | Improper access control (CWE‑284) |
| Severity | High (CVSS 3.1: 7.5) |
| Date | 2026‑07‑09 |
| Prediction | Patch already released |
What Undercode Say: Analytics
Attack Surface
- Publicly reachable endpoint serving secure uploads.
- Predictable URL patterns for hotlinked images.
- No authentication required for known URLs.
Detection Indicators
- Unusual requests to `/uploads/` paths with high entropy tokens.
- Repeated 200 OK responses for files that should be restricted.
- Access logs showing external IPs retrieving images without prior session activity.
Bash Commands for Analysis
Check if secure_uploads is enabled (requires admin access)
rails console
SiteSetting.secure_uploads
Search logs for suspicious GET requests to uploads
grep "GET /uploads/" /var/log/nginx/access.log | awk '{print $1, $7}' | sort | uniq -c | sort -nr
Verify patched version
bundle exec rake about | grep "Discourse version"
Code Snippet (Vulnerable Flow)
Simplified representation of the flawed logic in pull_hotlinked_images def pull_hotlinked_images(post) ... download external image ... uploaded_file = UploadCreator.new(temp_file).create_for(post.user.id) The new secure URL is generated, but no permission check is attached post.raw.gsub!(external_url, uploaded_file.url) post.save! end The uploaded_file.url is accessible without verifying the viewer's rights.
Exploit
- Identify a target – locate a Discourse instance with `secure_uploads` enabled.
- Obtain a secure upload URL – either by:
– Guessing the token (if the generation algorithm is weak – not the case here, but token leakage may occur).
– Finding a reference to the secure URL in a public post or page source (e.g., via an unintended leak).
– Leveraging a separate information disclosure to obtain the URL.
3. Craft a direct request to the secure upload endpoint, e.g.:
GET /uploads/default/secure/abc123def456/image.png HTTP/1.1 Host: target.discourse.com
4. Receive the image – the server returns the file without any authorisation check, exposing its content.
Note: No public exploit code is available, but the attack is trivial once the URL is known.
Protection
- Immediate – upgrade to one of the fixed versions:
– `2026.6.0`
– `2026.5.1`
– `2026.4.2`
– `2026.1.5`
– Workaround – if upgrading is not possible, temporarily disablesecure_uploads:SiteSetting.secure_uploads = false
(This reduces the risk but also removes the protection for all uploads.)
- Long‑term – enable additional access controls (e.g., CDN‑level authentication, IP whitelisting) and monitor logs for anomalous retrieval patterns.
- Code review – ensure that any future modifications to upload handling re‑validate permissions on every access.
Impact
- Confidentiality – sensitive images or documents stored as secure uploads can be viewed by unauthorised external parties.
- Privacy breach – in private forums, this could expose user‑uploaded content that was intended to be restricted (e.g., internal memos, personal photos).
- Compliance – organisations subject to GDPR, HIPAA, or similar regulations may face violations if protected data is leaked.
- Reputation – public disclosure of private community content can erode user trust.
- No direct integrity or availability impact – the flaw is purely informational, but the information disclosed may enable further attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

