Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-za7f-wjdb-w3ba
SummaryDiscourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksController` accepted requests without a valid authentication token when no token was configured. This allowed unauthenticated attackers to forge webhook payloads and artificially inflate user bounce scores, potentially causing legitimate user emails to be disabled. The Mailpace endpoint had no token validation at all. Starting in versions 2025.12.2, 2026.1.1, and 2026.2.0, all webhook endpoints reject requests with a 406 response when no authentication token is configured. As a workaround, ensure that webhook authentication tokens are configured for all email provider integrations in site settings (e.g., `sendgrid_verification_key`, `mailjet_webhook_token`, `postmark_webhook_token`, `sparkpost_webhook_token`). There's no current workaround for mailpace before getting this fix.
Aliases
0
alias CVE-2026-26077
Fixed_packages
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26077
reference_id
reference_type
scores
0
value 0.00166
scoring_system epss
scoring_elements 0.37462
published_at 2026-06-11T12:55:00Z
1
value 0.00166
scoring_system epss
scoring_elements 0.37639
published_at 2026-06-12T12:55:00Z
2
value 0.00166
scoring_system epss
scoring_elements 0.37663
published_at 2026-06-13T12:55:00Z
3
value 0.00166
scoring_system epss
scoring_elements 0.37651
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26077
1
reference_url https://github.com/discourse/discourse/security/advisories/GHSA-j67c-53j2-4hfw
reference_id GHSA-j67c-53j2-4hfw
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T16:18:52Z/
url https://github.com/discourse/discourse/security/advisories/GHSA-j67c-53j2-4hfw
Weaknesses
0
cwe_id 287
name Improper Authentication
description When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Exploits
Severity_range_score6.5 - 6.5
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-za7f-wjdb-w3ba