Description
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. To work around this issue, restrict summary generation by tightening the allowed groups on the summarization Personas.
Published: 2026-05-19
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows anonymous or unprivileged users to view content that has been removed, because the system continues to serve stale AI summaries that were cached before the deletion. The problem exists in Discourse versions before 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. The affected condition provides an information disclosure of content that should no longer be visible, mapping to CWE‑200, CWE‑524 and CWE‑672.

Affected Systems

The issue affects installations of the Discourse open‑source discussion platform, specifically versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Those running earlier builds are susceptible; up‑to‑date releases contain the fix.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity; the absence of an EPSS score suggests no known exploit activity to date, and the vulnerability is not listed in CISA’s KEV catalog. Likely exploitation requires access to the AI summary endpoint, which any authenticated or anonymous user can reach; therefore, the attack vector is inferred to be a web request to the summary API. Attackers can then read the cached summary that contains the removed content. Because the flaw persists until the summary is regenerated, the exposure can last for an arbitrary period.

Generated by OpenCVE AI on May 19, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the fixed Discourse releases 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1.
  • If an upgrade is not immediately possible, limit who can trigger summary generation by tightening allowed groups on summarization Personas.
  • Configure the system to invalidate cached summaries when content is deleted, ensuring outdated summaries do not persist.

Generated by OpenCVE AI on May 19, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Tue, 19 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. To work around this issue, restrict summary generation by tightening the allowed groups on the summarization Personas.
Title Discourse: Cached outdated summaries can leak removed content
Weaknesses CWE-200
CWE-524
CWE-672
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T00:04:12.797Z

Reserved: 2026-03-11T14:47:05.685Z

Link: CVE-2026-32244

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T00:16:37.100

Modified: 2026-05-19T00:16:37.100

Link: CVE-2026-32244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T01:30:26Z

Weaknesses