Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Information Disclosure to Moderators
Action: Patch Now
AI Analysis

Impact

The vulnerability is an authorization bypass in the Category Chatables controller show action. Moderators, who are already authenticated, can access the /category-chatables endpoint and receive metadata about hidden groups, including group names and member counts. This exposes sensitive administrative information that should be concealed, which is a classic information‑disclosure weakness (CWE‑200).

Affected Systems

Discourse installations running any of the following versions are impacted: 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0‑earlier. The issue has been fixed in 2026.1.3, 2026.2.2, and 2026.3.0.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate level of risk. There is no EPSS score available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a legitimate moderator account, so while external attackers cannot directly abuse the flaw, privileged insiders could use it to learn hidden group membership and potentially track or target users within those groups.

Generated by OpenCVE AI on March 31, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to version 2026.1.3 or newer, to 2026.2.2 or newer, or to 2026.3.0 or newer.

Generated by OpenCVE AI on March 31, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Title Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T17:42:00.882Z

Reserved: 2026-03-18T18:55:47.427Z

Link: CVE-2026-33300

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-31T18:16:52.267

Modified: 2026-03-31T18:16:52.267

Link: CVE-2026-33300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:37:31Z

Weaknesses