CVE-2024-49765
📋 TL;DR
Discourse sites using Discourse Connect (SSO) with local logins still enabled are vulnerable to authentication bypass. Attackers can create accounts and log in without proper SSO validation. This affects Discourse administrators who haven't updated to the patched version.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers create unauthorized administrator accounts, gaining full control over the Discourse instance to manipulate content, access private data, or disrupt community operations.
Likely Case
Attackers create regular user accounts to post spam, harass users, or access restricted community areas they shouldn't have permission to view.
If Mitigated
With proper controls, impact is limited to potential account creation attempts that fail due to disabled local logins or other authentication safeguards.
🎯 Exploit Status
The vulnerability is straightforward to exploit once an attacker discovers a vulnerable Discourse instance with both authentication methods enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version of Discourse
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-v8rf-pvgm-xxf2
Restart Required: Yes
Instructions:
1. Update Discourse to the latest version using your deployment method (Docker, manual, etc.). 2. Restart the Discourse application. 3. Verify local logins are disabled if using Discourse Connect.
🔧 Temporary Workarounds
Disable Local Logins
allDisable all local login methods when using Discourse Connect to prevent authentication bypass.
Navigate to Admin > Settings > Login in Discourse admin panel, disable all non-Discourse Connect authentication methods
🧯 If You Can't Patch
- Disable all local login methods in Discourse admin settings when using Discourse Connect
- Implement network-level controls to restrict access to vulnerable instances
🔍 How to Verify
Check if Vulnerable:
Check if Discourse Connect is enabled AND any local login methods (email, username/password) are still enabled in Admin > Settings > LoginCheck Version:
Check Discourse admin dashboard or run: docker exec -it discourse cat /shared/versionVerify Fix Applied:
Confirm Discourse is updated to latest version and verify local logins are disabled when Discourse Connect is enabled📡 Detection & Monitoring
Log Indicators:
- Unexpected account creation events
- Login attempts using local authentication when Discourse Connect is configured
- Failed SSO validation attempts followed by successful local login
Network Indicators:
- Authentication requests to local login endpoints when SSO should be required
SIEM Query:
source="discourse" AND (event="account_created" OR event="user_logged_in") AND auth_method!="sso"