Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` parameter was passed directly to the user resolution query without checking group or member visibility for the acting user. An authenticated chat user could craft an API request with a known private/hidden group name and receive a channel containing that group's members, leaking their identities. Second, `can_chat?` only checked group membership, not the `chat_enabled` user preference. A chat-disabled user could create or query DM channels between other users via the direct messages API, potentially exposing private `last_message` content from the serialized channel response. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Published: 2026-03-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privacy Compromise
Action: Patch
AI Analysis

Impact

This vulnerability involves two authorization lapses in the chat direct‑message API. An authenticated user can supply a hidden or private group name when creating or expanding a DM channel, and the system resolves that name without verifying the creator’s rights to view the group. Consequently the user receives a channel containing all members of the private group, leaking their identities. Additionally, the API’s check for chat ability ignores the individual user’s chat‑enabled preference, letting a chat‑disabled user create or query DM channels between other participants. The resulting channel response can expose the private last‑message content, further compromising confidentiality. The weakness is catalogued as CWE‑863: Insufficient Authorization.

Affected Systems

The affected product is the open‑source discussion platform Discourse. Vulnerable versions are all releases prior to 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2. Versions 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2 contain the fix and are recommended for deployment.

Risk and Exploitability

The CVSS score of 5.4 reflects a moderate severity, while the EPSS score of less than 1% indicates a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker needs only authenticated access to the chat API and knowledge of a private group name. The exploit path is straightforward: construct a valid API request to /direct_messages using the target_groups parameter or to query a DM channel, and read the returned data. Once executed, the attacker gains information about private group membership and potentially private last messages, compromising confidentiality but not system control.

Generated by OpenCVE AI on March 24, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Discourse patch that includes the updates for versions 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2.
  • Verify that your installation runs a patched version and test the /direct_messages API for expected authorization enforcement.
  • Monitor API usage for anomalous DM creation or queries involving private groups, and review logs for unauthorized access attempts.

Generated by OpenCVE AI on March 24, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` parameter was passed directly to the user resolution query without checking group or member visibility for the acting user. An authenticated chat user could craft an API request with a known private/hidden group name and receive a channel containing that group's members, leaking their identities. Second, `can_chat?` only checked group membership, not the `chat_enabled` user preference. A chat-disabled user could create or query DM channels between other users via the direct messages API, potentially exposing private `last_message` content from the serialized channel response. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title Discourse hardens chat DM channel creation and expansion
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T16:11:14.726Z

Reserved: 2026-03-19T17:02:34.171Z

Link: CVE-2026-33410

cve-icon Vulnrichment

Updated: 2026-03-20T16:11:10.944Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:42.827

Modified: 2026-03-24T20:54:31.467

Link: CVE-2026-33410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:34Z

Weaknesses