Issue Description During a security assessment of our customized Discourse deployment, we discovered a potential directory traversal vulnerability related to the /uploads/* endpoint. Problem Details Accessing /uploads/ allows users to fetch files from arbitrary upload directories by manipulating …

Maybe you are interested in the secure-uploads feature. [image] Secure Uploads megaphoneAnnouncements Added in the Discourse 2.4 release in February is the Secure Uploads feature, which provides a higher degree of security for ALL uploads (images, video, audio,…

Potential Directory Traversal: /uploads/* allows cross-directory file access

Support

Moin July 8, 2025, 10:42am 2

Maybe you are interested in the secure-uploads feature.

3 Likes

Topic		Replies	Views
Potential resource exhaustion: No rate limiting on /uploads.json allows mass file uploads Support uploads	0	70	July 8, 2025
Personal Message attachments accessible to unauthenticated users (missing auth check) Support secure-uploads , personal-messages	1	71	July 8, 2025
Does anyone have some suggestions how should I go about investigating Discourse losing old uploads? Support	0	24	July 4, 2024
Understanding Uploads, Images, and Attachments Site Management explanation , file-management	5	6101	January 15, 2025
Secure Uploads Announcements secure-uploads	46	17047	July 24, 2025

Potential Directory Traversal: /uploads/* allows cross-directory file access

Related topics