Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators can create Zendesk tickets for topics they do not have access to view. This affects all forums that use the Zendesk plugin. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Published: 2026-03-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data disclosure via Zendesk tickets
Action: Immediate Patch
AI Analysis

Impact

Moderators can create Zendesk tickets for topics they cannot view, allowing private or restricted forum content to be sent to Zendesk. This is a classic authorization bypass (CWE‑863) that permits privileged users to expose confidential information that should remain hidden. The flaw stems from a missing access check during ticket creation, leading to direct data exposure over an external ticketing system.

Affected Systems

Discourse forums running any version prior to 2026.3.0‑latest.1, 2026.2.1, or 2026.1.2 that have the Zendesk plugin installed are affected. The vulnerability applies to all forums where moderators have the ability to create Zendesk tickets, regardless of topic visibility.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score below 1% suggests a low likelihood of widespread exploitation at present. The flaw is not listed in the CISA KEV catalog. Attackers who are moderators can exploit it by simply using the Zendesk ticket creation interface, which then sends topic data to Zendesk even when the moderator lacks viewing rights. This results in unintended disclosure of private forum content to an external system.

Generated by OpenCVE AI on March 24, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Discourse 2026.3.0‑latest.1, 2026.2.1, or 2026.1.2 where the patch is included.
  • Verify that the Zendesk plugin is enabled and that only authorized roles can create tickets.
  • If an upgrade is not immediately possible, temporarily disable the Zendesk plugin or restrict ticket creation permissions for moderators until the patch is applied.
  • Monitor Zendesk logs for unexpected tickets originating from moderators lacking topic visibility.

Generated by OpenCVE AI on March 24, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Fri, 20 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators can create Zendesk tickets for topics they do not have access to view. This affects all forums that use the Zendesk plugin. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title Discourse user can create Zendesk tickets even when it does not have access to topic
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T02:08:54.073Z

Reserved: 2026-03-18T18:55:47.426Z

Link: CVE-2026-33291

cve-icon Vulnrichment

Updated: 2026-03-24T02:08:48.453Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:47.503

Modified: 2026-03-24T21:10:46.013

Link: CVE-2026-33291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:00Z

Weaknesses