Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for admins. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Immediate Patch
AI Analysis

Impact

The flaw allows moderators to export CSV data from reports that are limited to admins only. This bypasses the intended visibility restrictions and can expose sensitive operational data, potentially revealing user activity logs or internal metrics. The weakness is a confidentiality breach, classified as CWE‑200.

Affected Systems

Discourse, the open‑source discussion platform, is affected. Vulnerable versions include 2026.1.0 up to but not including 2026.1.3, 2026.2.0 up to but not including 2026.2.2, and 2026.3.0 up to but not including 2026.3.0. Versions 2026.1.3, 2026.2.2, and 2026.3.0 and newer contain the fix.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user with moderator privileges to trigger the export feature; thus the attack vector is internal or through legitimate moderator access. The impact remains confined to the data that moderators can access, but the exposure of admin‑restricted content increases the risk of data leaks.

Generated by OpenCVE AI on April 9, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to 2026.1.3, 2026.2.2, or 2026.3.0 or newer to apply the patch.
  • If an upgrade is not possible immediately, revoke the export permission from moderator roles or limit access to the admin‑only reports.
  • Monitor export activity for anomalies and audit export logs to detect unauthorized data extraction.

Generated by OpenCVE AI on April 9, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for admins. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Title Discourse: Admin-only report can be exported by moderators
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:05:32.105Z

Reserved: 2026-03-10T22:19:36.547Z

Link: CVE-2026-32143

cve-icon Vulnrichment

Updated: 2026-04-01T18:05:28.749Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T18:16:49.560

Modified: 2026-04-09T19:42:47.660

Link: CVE-2026-32143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:46:12Z

Weaknesses