CVE-2023-49099 LOW

CVE-2023-49099: Discourse secure uploads accessible to guests even when login is required

Vendor Discourse
Product discourse
Weakness CWE-284
Published January 12, 2024
Last update June 17, 2025

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Discourse is a platform for community discussion. Under very specific circumstances, secure upload URLs associated with posts can be accessed by guest users even when login is required. This vulnerability has been patched in 3.2.0.beta4 and 3.1.4.

Key dates

02Disclosure timeline

January 12, 2024 CVE published
June 17, 2025 Record updated