Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Published: 2026-02-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability is a SQL injection in the PM tag filtering function that enables bypassing tag filter conditions and accessing private message metadata that is not normally visible. Because of this flaw an attacker who can forge a request containing a crafted tag value can ask the application to return information about private conversations that it should not disclose. The weakness is an example of untrusted input reaching the SQL layer, leading to confidentiality loss as described by CWE-89.

Affected Systems

Discourse, the open‑source discussion forum, is impacted in every release before 2025.12.2, 2026.1.1, and 2026.2.0. Versions 2025.12.2, 2026.1.1, and 2026.2.0 address the flaw and are recommended replacements.

Risk and Exploitability

The CVSS score of 4.9 reflects a moderate impact; the EPSS score of very low (<1%) and the absence from the CISA KEV catalog indicate that the vulnerability is not widely exploited. The likely attack path is via a web request that embeds a malicious tag value, enabling the execution of a crafted SELECT statement that returns private message metadata, leading to data disclosure. Because the exploit does not require local or privileged access, an attacker with internet connectivity to a Discourse instance can leverage the flaw.

Generated by OpenCVE AI on April 17, 2026 at 14:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Discourse installation to version 2025.12.2, 2026.1.1, or 2026.2.0, which contain the patch for the SQL injection.
  • Replace the vulnerable tag filtering logic with prepared statements or use an ORM to prevent the incorporation of raw user input into SQL queries.
  • Validate and sanitize the tag parameter on the client side and in server-side code to ensure only expected values are accepted.

Generated by OpenCVE AI on April 17, 2026 at 14:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Title Discourse has SQL injection in PM tag filtering
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T01:44:11.335Z

Reserved: 2026-02-18T00:18:53.961Z

Link: CVE-2026-27149

cve-icon Vulnrichment

Updated: 2026-03-03T01:44:07.098Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T21:28:54.193

Modified: 2026-03-02T18:14:00.923

Link: CVE-2026-27149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses