If it exhibits here only, then I have a gut feeling it is related to csrf-sync.
If NodeBB restarts, it could be that the valid csrf token is stored in memory and is lost 🤷
Edit: No... I just tested that locally and it worked fine. Hm.
We have been having some sophisticated spam posting to our forum. I noticed a spam post and deleted it several hours before the digest was going to be sent out, but did not purge it. However the title of the spam post was still listed in the daily digest. Is there any way to make sure deleted posts do not end up in the email digest?