Discourse’s review queue interface inadvertently exposed the IP address of flagged users to any user who could access the queue, including roles that should not see such information. This allows an attacker to learn the precise source address of a user who was flagged for moderation, potentially facilitating user profiling or targeted abuse. The vulnerability falls under the confidentiality vulnerability class (CWE‑200) and does not grant any additional control or denial of service capabilities.

The flaw affects the Discourse open‑source forum platform on versions older than 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2. All instances running those older releases were vulnerable; the patch is included in the mentioned newer versions. No specific hardware or operating system requirements are stated, and the issue is confined to the Discourse software itself.

The vulnerability carries a CVSS score of 3.5, indicating low to moderate overall risk, and an EPSS score lower than 1 %, suggesting a very low probability of exploitation in the wild. The issue is not in the CISA KEV catalog. Based on the description, the likely attack vector is an authenticated user with access to the review queue, which may include moderators or users who have inadvertently been granted higher visibility privileges. No external code execution or privilege escalation is possible; the impact is limited to the accidental disclosure of the IP address.