Impact

Insufficient protections could enable malicious admins to trigger outbound network connections from the Discourse server to private IP addresses.

The high severity of this advisory reflects the worst-case scenario where admins are untrusted, and there are sensitive services on the internal network. This may be true in some deployments (e.g. shared hosting environments). But for the majority of self-hosters following our standard install, admins are trusted and so the impact is much lower.

For more information, see GHSA-rcc5-28r3-23rr

Patches

The problem is resolved in the latest version of discourse-oauth2-basic

Workarounds

None