Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Published: 2026-03-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

Discourse is an open-source discussion platform that inadvertently exposed the title and post excerpt of private topics through its user-action API endpoint. The flaw occurs because the API does not enforce visibility checks, so any user can retrieve that sensitive data. The result is an information disclosure that could surface private discussion details to unauthorized parties. This weakness aligns with CWE-201, an information exposure vulnerability.

Affected Systems

The vulnerability affects all Discourse releases older than 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. Administrators running those versions are at risk of leaking private topic data. The CPE list confirms that the issue exists in the core product across all platform flavors until the mentioned patches.

Risk and Exploitability

The security score is 8.7, indicating a high severity. The EPSS probability is less than 1 %, suggesting that few public exploits are known at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack path is an unauthenticated or insufficiently privileged user sending a crafted request to the user-action API endpoint, which then returns the title and excerpt of a private topic. No public exploit code is publicly documented, but the flaw’s simplicity means it could be abused by a determined adversary through normal API usage.

Generated by OpenCVE AI on March 25, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to a patched version (2026.3.0-latest.1, 2026.2.1, or 2026.1.2).
  • Verify that private topic titles are not exposed through the user-action API endpoint.
  • Monitor API usage for abnormal requests to private topics and apply rate limiting if needed.
  • Stay informed of future advisories by subscribing to Discourse security updates.

Generated by OpenCVE AI on March 25, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 19 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title Discourse leaks private topic title and post excerpt via user action API endpoint
Weaknesses CWE-201
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:53:53.212Z

Reserved: 2026-02-25T03:11:36.689Z

Link: CVE-2026-27934

cve-icon Vulnrichment

Updated: 2026-03-20T18:53:41.137Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:30.833

Modified: 2026-03-25T21:04:13.697

Link: CVE-2026-27934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:45Z

Weaknesses