Custom dropdown user field contains unselectable value

AquaL1te · May 9, 2026, 10:30am

On my forum I have this custom field when users sign up.

But it seems like that spam bots create accounts with a value for that dropdown that is not selectable. Which almost makes it function like a honeypot to determine which account is not human made. But this could maybe also be a security issue?

Lilly · May 9, 2026, 1:46pm

i think this is because bots don’t use front end sign up that has the validators. those spam bots are using automated post requests to the sign up api endpoint. when custom fields are optional, perhaps sometimes validation isn’t strict enough in backend and still saves the payload value to the database.

i’m not sure what the core fix is, but you also likely need some more anti-spam configuration or tools. Maybe try using Discourse hCaptcha? or AI spam detection (I use AI spam bot on my public forum and it words excellent, and i have optional fields on sign up too.)

you can find all the affected user accounts on your forum by using Data explorer (assuming the custom field is user_field_1 ):

SELECT user_id, value 
FROM user_custom_fields 
WHERE name = 'user_field_1' 
AND value NOT IN ('Bro', 'Sis', '')

if you recently changed the field from a text input to dropdown, this may also account for some those bot accounts with the incorrect field values.

you could try running a curl command to test this too - something like:

curl -i -X POST "https://FORUM_URL/users.json" \
-H "Api-Key: API_KEY" \
-H "Api-Username: system" \
-H "Content-Type: application/json" \
-d '{
  "name": "api test user",
  "email": "test_validation_bot@example.com",
  "password": "SuperSecretPassword123!",
  "username": "test_validation_bot",
  "active": true,
  "user_fields": {
    "FIELD_ID": "SomeInvalidText"
  }
}'

where FORUM_URL is your forum address, API_KEY a global api key generated from /admin/api/keys, and FIELD_ID is the id of the custom field.

edit: i just tested this with that curl command and yes, i can reproduce this issue - i was able to signup a new user with an unvalidated selection in the custom user field dropdown.

ted · May 14, 2026, 2:09am

@Lilly is correct. There isn’t enough distrust on the back-end here.

Since this came up, I decided to check if this also affects the profile page, and it doesn’t. We correctly sanitize values when users update their profile. That made it relatively straight-forward to just copy that sanitization logic to the sign-up endpoint as well. A PR is here:

github.com/discourse/discourse

FIX: Don't allow arbitrary values for user field enums on signup (#40018)

main ← Drenmi:fix/invalid-user-field-values-on-signup

approved 02:50AM - 14 May 26 UTC

Drenmi

+21 -3

## What is the problem? When signing up and the sign-up form contains custom …user fields of type "dropdown" or "multi-select", the client can send any value and it will be stored in the back-end. ## How does this fix it? We are correctly guarding against this in the profile update endpoint, so this PR just lifts the protection we have there to the sign-up endpoint as well. **Note:** The _real_ fix is probably to shift the validation logic away from the controller and into the user fields module, but this stems the bleeding for now.

I don’t think it technically is. Yes, users can put arbitrary values in, but there’s still sanitization applied before this is rendered anywhere (so no XSS vector). And the length limit was already correctly applied in the sign-up endpoint as well (so no DoS vector).

Topic		Replies	Views
Not respecting editable after sign up Bug user-custom-fields	3	81	April 15, 2025
Custom user fields dropdown have no "please choose" option Bug	3	1227	March 9, 2016
Honeypot Fields for Bot Prevention on Signup? General	3	173	February 10, 2025
User Fields - weird signup behavior Bug user-custom-fields , stable	16	259	October 3, 2024
Creating and configuring custom user fields Site Management user-custom-fields , how-to , users	25	17574	April 8, 2026

Custom dropdown user field contains unselectable value

Related topics