Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_field_ids` parameter in `DirectoryItemsController#index` accepts arbitrary user field IDs without authorization checks, bypassing the visibility restrictions (`show_on_profile` / `show_on_user_card`) that are enforced elsewhere (e.g., `UserCardSerializer` via `Guardian#allowed_user_field_ids`). An attacker can request `GET /directory_items.json?period=all&user_field_ids=<id>` with any private field ID and receive that field's value for every user in the directory response. This enables bulk exfiltration of private user data such as phone numbers, addresses, or other sensitive custom fields that admins have explicitly configured as non-public. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As a workaround, site administrators can remove sensitive data from private user fields, or disable the user directory via the `enable_user_directory` site setting.
Published: 2026-02-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference in Discourse's directory items endpoint. The parameter user_field_ids can be set to any custom field id without authorization checks, allowing any user—including anonymous users—to obtain the values of private custom fields for all users. This results in bulk exfiltration of sensitive information such as phone numbers, addresses, or other data that administrators have configured as non‑public.

Affected Systems

Affected systems are installations of the Discourse discussion platform running any version prior to 2025.12.2, 2026.1.1, or 2026.2.0. These versions expose the directory items API without filtering private custom field identifiers. The problem has been addressed in the three mentioned releases and in any later releases.

Risk and Exploitability

The CVSS score is 7.5, indicating a high‑to‑medium severity. The EPSS score is less than 1%, suggesting that exploitation is currently unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. An attacker does not need special privileges, as the endpoint is accessible to all users; thus the attack vector is simple over HTTP. If exploited, the attacker can bulk exfiltrate private user data, compromising confidentiality across the entire user base.

Generated by OpenCVE AI on April 17, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Discourse 2025.12.2, 2026.1.1, 2026.2.0 or later, which filter user_field_ids against public fields.
  • If an upgrade is not feasible, remove sensitive data from private custom fields so that no confidential values remain stored.
  • Disable the user directory by setting enable_user_directory to false to eliminate the public endpoint that exposes the data.
  • Review and adjust custom field visibility settings to ensure no private fields are unintentionally exposed.

Generated by OpenCVE AI on April 17, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_field_ids` parameter in `DirectoryItemsController#index` accepts arbitrary user field IDs without authorization checks, bypassing the visibility restrictions (`show_on_profile` / `show_on_user_card`) that are enforced elsewhere (e.g., `UserCardSerializer` via `Guardian#allowed_user_field_ids`). An attacker can request `GET /directory_items.json?period=all&user_field_ids=<id>` with any private field ID and receive that field's value for every user in the directory response. This enables bulk exfiltration of private user data such as phone numbers, addresses, or other sensitive custom fields that admins have explicitly configured as non-public. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As a workaround, site administrators can remove sensitive data from private user fields, or disable the user directory via the `enable_user_directory` site setting.
Title Discourse has IDOR vulnerability in the directory items endpoint
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T16:17:05.469Z

Reserved: 2026-02-12T17:10:53.412Z

Link: CVE-2026-26265

cve-icon Vulnrichment

Updated: 2026-02-27T16:17:00.719Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T16:24:07.543

Modified: 2026-03-02T21:37:36.747

Link: CVE-2026-26265

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses