Description
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access.
Published: 2026-01-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Patch
AI Analysis

Impact

Discourse versions before 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allow moderators who are not administrators to view the staff action logs. The logs reveal webhook payload URLs, secrets, API key details, site setting changes, private message content, restricted category names, and private chat channel titles. This defect bypasses the platform’s intended access controls, permitting confidential data extraction and potentially enabling attackers to forge webhook events to integrated services.

Affected Systems

The vulnerable software is the Discourse discussion platform, specifically any instance running a version earlier than 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. The issue is identified for the official Discourse product; no other vendors are affected.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to acquire moderator privileges or co‑operate with a moderator to exploit this flaw; no configuration‑based workaround exists, so the only mitigation is to patch or restrict moderator appointments. The vulnerability’s primary impact is information disclosure, with the potential for further exploitation if webhook secrets are leaked.

Generated by OpenCVE AI on April 18, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Discourse installation to version 3.5.4 or newer, or to the 2025.11.2, 2025.12.1, or 2026.1.0 releases that contain the fix.
  • Immediately review moderator appointments and limit them to fully trusted users only; remove any unnecessary or temporary moderator roles.
  • Conduct a security audit of the staff action logs and monitor for any anomalous access or disclosure of confidential information.

Generated by OpenCVE AI on April 18, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*
cpe:2.3:a:discourse:discourse:2025.12.0:*:*:*:stable:*:*:*
cpe:2.3:a:discourse:discourse:2026.1.0:*:*:*:stable:*:*:*

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Wed, 28 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access.
Title Discourse staff action logs expose sensitive information to moderators
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T20:35:27.216Z

Reserved: 2026-01-26T19:06:16.059Z

Link: CVE-2026-24742

cve-icon Vulnrichment

Updated: 2026-01-28T20:33:27.088Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T21:16:11.913

Modified: 2026-01-30T20:31:42.753

Link: CVE-2026-24742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses