Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Published: 2026-03-19
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Data Leakage
Action: Patch Now
AI Analysis

Impact

A flaw in the Post Edits admin report caused the first 40 characters of raw post content from private messages and secure categories to leak to moderators who should not have that access, constituting a PRIVILEGE SEEP HACK CWE-200 information exposure and allowing unintended disclosure of confidential content.

Affected Systems

Discourse, the open‑source discussion platform, is affected; versions prior to 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2 are vulnerable, while later releases contain the fix.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity, and the EPSS probability is less than 1%, indicating a low likelihood of exploitation. It is not listed in CISA's KEV catalog. The likely attack vector requires a moderator or an actor who can assume moderator privileges to access the /admin/reports/post_edits endpoint, thereby exposing private message snippets; no publicly disclosed exploit code is available.

Generated by OpenCVE AI on March 24, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Discourse 2026.3.0‑latest.1, 2026.2.1, or 2026.1.2 or newer.
  • Verify that the Post Edits report no longer displays private message content.

Generated by OpenCVE AI on March 24, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report (/admin/reports/post_edits) leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title Discourse leaks PM post edits to moderators
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:36:24.612Z

Reserved: 2026-03-19T17:02:34.169Z

Link: CVE-2026-33394

cve-icon Vulnrichment

Updated: 2026-03-20T18:36:17.004Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:42.660

Modified: 2026-03-24T20:53:01.660

Link: CVE-2026-33394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:30Z

Weaknesses