Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

An access control flaw in Discourse’s sentiment‑analytics endpoint allows an authenticated user with moderator privileges to read posts, topic titles, and usernames in categories that should be restricted. This bypasses normal category permissions and leads to confidential content being exposed to users without proper authorization. The weakness is a classic information‑leak vulnerability (CWE‑284), providing attackers with potential insight into private discussions or sensitive data.

Affected Systems

Discourse software versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and any 2026.3.0 release before the 2026.3.0 patch are vulnerable. The issue was fixed in 2026.1.3, 2026.2.2, and 2026.3.0. Administrators should verify their installed version and consult the vendor’s advisory for exact upgrade instructions.

Risk and Exploitability

With a CVSS score of 5.1, the problem is considered moderate severity; exploitation requires a valid moderator account, so the attack surface is limited to users with elevated privileges. No publicly known exploits were reported and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, because it compromises confidentiality, prompt patching is recommended once an updated version is available.

Generated by OpenCVE AI on March 31, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to at least version 2026.1.3, 2026.2.2, or 2026.3.0, whichever applies to your deployment.
  • If an upgrade is not immediately possible, consider disabling the sentiment‑analytics endpoint or restricting moderator access to that endpoint temporarily.
  • Verify that the vulnerability no longer exists by testing the endpoint after applying the patch.
  • Monitor Discourse’s release notes and security advisories for any additional patches.

Generated by OpenCVE AI on March 31, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Title Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T17:42:15.870Z

Reserved: 2026-03-19T17:02:34.171Z

Link: CVE-2026-33415

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-31T18:16:52.410

Modified: 2026-03-31T18:16:52.410

Link: CVE-2026-33415

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:37:30Z

Weaknesses