Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Published: 2026-03-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of Private Topic Metadata
Action: Immediate Patch
AI Analysis

Impact

An API endpoint in the open‑source discussion platform exposes private topic metadata belonging to administrators. The flaw allows moderators, who normally lack permission to view those private topics, to obtain sensitive metadata. This represents a privacy violation, classified as CWE‑201, without enabling further exploit such as code execution or system compromise.

Affected Systems

Discourse releases before 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2 are affected. Upgrading to any of those patched versions removes the vulnerability.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate severity, while the EPSS score below 1% suggests a low probability of immediate exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is authenticated: a legitimate moderator can invoke the exposed API and receive unauthorized private topic metadata without needing higher privileges.

Generated by OpenCVE AI on March 24, 2026 at 04:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to a patched release such as 2026.3.0‑latest.1, 2026.2.1, or 2026.1.2.

Generated by OpenCVE AI on March 24, 2026 at 04:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 19 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title Discourse leaks private topic metadata to non-authorized users
Weaknesses CWE-201
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T16:28:35.052Z

Reserved: 2026-02-25T03:11:36.689Z

Link: CVE-2026-27935

cve-icon Vulnrichment

Updated: 2026-03-20T16:28:28.586Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:30.997

Modified: 2026-03-23T20:18:31.873

Link: CVE-2026-27935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:42Z

Weaknesses