Discourse versions 2026.1.0 to 2026.1.2, 2026.2.0 to 2026.2.1, and 2026.3.0 to 2026.3.0 provide a search interface that inadvertently reveals whether a user is a member of a chat channel. The vulnerability allows an unauthorised party to infer membership status without authentication, constituting a privacy breach. This is an instance of information disclosure (CWE‑200) and can expose sensitive community structures.

Affected vendors and products are the Discourse open-source discussion platform, specifically the chat module of Discourse. The impacted releases are from 2026.1.0 through 2026.1.2, from 2026.2.0 through 2026.2.1, and from 2026.3.0 through 2026.3.0-latest prior to the patch. The vulnerability has been fixed in Discourse 2026.1.3, 2026.2.2, and 2026.3.0, and only systems running the older releases remain at risk.

The CVSS score of 4.3 indicates moderate risk, but the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog, reducing the immediate threat. The likely attack vector is access to the chat search API, which can be triggered by anyone with network visibility to the application; it does not require elevated privileges. Because no persistent exploit exists, the primary concern is unintended information disclosure, but administrators should still patch promptly to prevent potential future usage or correlation attacks.