{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33355", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.814Z", "datePublished": "2026-03-19T22:01:42.387Z", "dateUpdated": "2026-03-20T18:10:20.981Z"}, "containers": {"cna": {"title": "Discourse filters whisper posts from private-posts feed", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq"}, {"name": "https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42320603c", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42320603c"}, {"name": "https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4d59bcdc", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4d59bcdc"}, {"name": "https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd9370946d1", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd9370946d1"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:01:42.387Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-g4v5-6gfp-3hjq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T17:00:35.807294Z", "id": "CVE-2026-33355", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:10:20.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33355", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T17:00:35.807294Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:00:39.678Z"}}], "cna": {"title": "Discourse filters whisper posts from private-posts feed", "source": {"advisory": "GHSA-g4v5-6gfp-3hjq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": "= 2026.3.0-latest"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42320603c", "name": "https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42320603c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4d59bcdc", "name": "https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4d59bcdc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd9370946d1", "name": "https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd9370946d1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:01:42.387Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33355", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:10:20.981Z", "dateReserved": "2026-03-18T22:15:11.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:01:42.387Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "id": "CVE-2026-33355", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:42.320", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42320603c"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4d59bcdc"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd9370946d1"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-20T00:08:07.470537+00:00", "value": {"mitigation_remediation": ["Upgrade the Discourse instance to version 2026.3.0\u2011latest.1 or newer, which contains the patch that restores proper visibility filtering for whisper posts.", "If an immediate upgrade is infeasible, temporarily block or rate\u2011limit access to the \"/private-posts\" endpoint at the network layer to reduce the risk of unauthorized disclosure.", "Continuously monitor Discourse security advisories and release notes for additional patches or recommended mitigations."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure \u2013 Whisper Posts Exposure"}, "threat_synthesis": {"affected_systems": "Discourse discussion platform versions prior to 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2 are affected. The vendor identified for this product is \"discourse:discourse\". These releases lack the patch that correctly applies visibility filtering to whisper posts.", "description_and_impact": "The vulnerability occurs when the \"/private-posts\" endpoint in Discourse does not enforce post-type visibility filtering. As a result, regular private\u2011message participants can view whisper posts\u2014intended for a limited audience\u2014within the same PM topic. This exposes confidential or sensitive content that should remain hidden, compromising user privacy and potentially violating trust in the forum.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is a legitimate forum user or attacker sending requests to the \"/private-posts\" endpoint or navigating to a PM page; no additional privileges are required beyond access to the privileged PM topic. The impact is limited to confidentiality disclosure of whisper posts; however, the leakage can erode user trust and reveal sensitive discussions."}}}}, "created": "2026-03-20T08:55:23.177302+00:00", "updated": "2026-03-20T11:05:45.445223+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}