An internal authorization flaw within Discourse’s oneboxer component allows an authenticated user to request inline onebox data using a category_id that matches the shared drafts category. By sending such a request, the user receives the titles of draft topics stored in that category. The vulnerability exposes content that the user should not view, resulting in a confidentiality breach of internal draft information. The weakness corresponds to improper authorization checks (CWE-200).

Discourse instances running any release between 2026.1.0-latest up to, but not including, 2026.1.3; 2026.2.0-latest up to, but not including, 2026.2.2; and 2026.3.0-latest up to, but not including, 2026.3.0 are affected. Versions 2026.1.3, 2026.2.2, and 2026.3.0 and newer contain a patch that removes the vulnerability.

The CVSS base score of 4.3 indicates moderate impact with limited exploitation scope. An EPSS score of less than 1% reflects a low probability of real-world exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated to the system to trigger the flaw, and the attack vector is a crafted online request to the onebox endpoint. Because the issue manifests through user-controlled input, exploitation is straightforward for legitimate users with access. However, the lack of a public exploit and low probability of exploitation reduce immediate threat, though the confidentiality risk remains relevant in environments where draft content is sensitive.