Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of category content
Action: Apply Patch
AI Analysis

Impact

An insufficient access control on a sentiment analytics endpoint in Discourse allows an authenticated moderator-level user to retrieve post content, topic titles, and usernames from categories they were not authorized to view. This flaw enables the exfiltration of confidential discussion data across category boundaries, compromising privacy and internal confidentiality.

Affected Systems

Versions from 2026.1.0 through before 2026.1.3, 2026.2.0 through before 2026.2.2, and 2026.3.0-latest through before 2026.3.0 are vulnerable. The issue is addressed in releases 2026.1.3, 2026.2.2, and 2026.3.0 onward.

Risk and Exploitability

The CVSS score of 5.1 reflects moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Because it requires an authenticated moderator account, only users with elevated privileges can exploit it; therefore, the risk is primarily internal. Administrators should enforce strict role policies while applying the available fix.

Generated by OpenCVE AI on April 10, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current Discourse version through the administration dashboard.
  • Upgrade Discourse to a patched release (2026.1.3, 2026.2.2, 2026.3.0, or newer).
  • Restart the Discourse instance to ensure the updated code is active.

Generated by OpenCVE AI on April 10, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Title Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:21:37.890Z

Reserved: 2026-03-19T17:02:34.171Z

Link: CVE-2026-33415

cve-icon Vulnrichment

Updated: 2026-04-03T16:21:25.371Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T18:16:52.410

Modified: 2026-04-10T01:50:42.777

Link: CVE-2026-33415

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:58Z

Weaknesses