Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hidden-membership group and probing arbitrary usernames, an attacker can infer membership based on whether user_reasons returns "private" for a given user. This bypasses group member-visibility controls. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. To work around this issue, restrict the messageable policy of any hidden-membership group to staff or group members only, so untrusted users cannot reach the vulnerable code path.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure: Hidden group membership
Action: Patch Now
AI Analysis

Impact

The ComposerController#mentions endpoint in Discourse is vulnerable to an information‑exposure flaw. Authenticated users who can message a hidden group can query the endpoint with an allowed_names parameter referencing that group. By probing arbitrary usernames, an attacker learns whether a given user is listed as a member when user_reasons returns "private", allowing the attacker to infer hidden membership without direct visibility. The flaw enables the disclosure of group membership to unauthorized users, exposing internal structure for social engineering or targeted attacks. The weakness corresponds to Information Exposure (CWE‑200) and Authorization Bypass (CWE‑285).

Affected Systems

Discourse discussion platform, all releases older than 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2 are affected. The security patch was back‑ported to those releases and higher, so upgrading to at least these versions removes the vulnerability. Discourse 2026.3.0‑latest.1 or newer includes the fix.

Risk and Exploitability

The CVSS base score is 5.3, a medium severity rating that reflects the restricted scope of the impact. EPSS is below 1%, indicating a low probability of exploitation in the wild at present. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector is an authenticated user who can send messages to the hidden group, which they can then exploit by performing a controlled request to the Composer mentions endpoint. Exploitation requires no special privileges beyond normal messaging permissions and thus represents a moderate operational risk for organizations that rely on hidden group membership for confidentiality.

Generated by OpenCVE AI on March 24, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to version 2026.3.0‑latest.1 or later
  • If an upgrade is not immediately possible, limit the messageable policy of hidden‑membership groups so that only staff or group members can message them, preventing untrusted users from triggering the vulnerable endpoint.
  • Verify that the Composer mentions endpoint no longer reveals hidden membership by testing with probe usernames.

Generated by OpenCVE AI on March 24, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Fri, 20 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hidden-membership group and probing arbitrary usernames, an attacker can infer membership based on whether user_reasons returns "private" for a given user. This bypasses group member-visibility controls. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. To work around this issue, restrict the messageable policy of any hidden-membership group to staff or group members only, so untrusted users cannot reach the vulnerable code path.
Title Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check
Weaknesses CWE-200
CWE-285
CWE-639
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T17:18:59.947Z

Reserved: 2026-03-09T19:02:25.014Z

Link: CVE-2026-31869

cve-icon Vulnrichment

Updated: 2026-03-20T17:18:06.604Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T03:15:59.533

Modified: 2026-03-24T20:22:46.050

Link: CVE-2026-31869

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:31Z

Weaknesses