Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

Discourse, an open‑source discussion platform, had an issue in the implementation of its /private‑posts endpoint. Prior to certain patches, the endpoint did not limit its results based on post type visibility, allowing users participating in a private message thread to view whisper posts—content intended only for designated participants—alongside normal messages. This weakness results in unauthorized disclosure of private content, classifying it as an information‑disclosure vulnerability.

Affected Systems

The vulnerability impacts the Discourse community edition. Versions lower than 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2 are affected. The patching fixes explicitly add the necessary visibility filtering. All users running earlier releases should consider them vulnerable until the fix is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of active exploitation. The issue is not listed in the CISA KEV catalog, implying no known large‑scale exploits. Attackers need only authenticated accounts with access to the private‑message thread and can retrieve the whisper posts simply by querying the affected endpoint. Although the exploit is straightforward for a legitimate thread participant, it does not provide broader privileges or remote code execution.

Generated by OpenCVE AI on March 24, 2026 at 21:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Discourse instance to version 2026.3.0‑latest.1, 2026.2.1, or 2026.1.2, which contain the security fix.

Generated by OpenCVE AI on March 24, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title Discourse filters whisper posts from private-posts feed
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:10:20.981Z

Reserved: 2026-03-18T22:15:11.814Z

Link: CVE-2026-33355

cve-icon Vulnrichment

Updated: 2026-03-20T17:00:39.678Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:42.320

Modified: 2026-03-24T20:41:42.893

Link: CVE-2026-33355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:31Z

Weaknesses