Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Published: 2026-03-20
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized private message access
Action: Patch
AI Analysis

Impact

A vulnerability in the Discourse discussion platform allows a user whose access to a private message topic has been revoked to re‑gain access through invite links, exposing confidential conversations that should remain private. The weakness is a failure in authentication after a privilege change, formally identified as CWE‑863. Once the revoked user obtains or retains an invite URL, the system permits view or interaction with the hidden topic, constituting a confidentiality breach.

Affected Systems

The issue impacts the open‑source Discourse platform. Versions prior to 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2 are vulnerable. The patch is included in those releases; all earlier releases within the same branches remain at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires that the attacker possess an invitation link and keep it after their access has been revoked; using the link grants immediate read access to the private topic.

Generated by OpenCVE AI on March 24, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to a patched release (2026.3.0‑latest.1, 2026.2.1, or 2026.1.2) to apply the fix.

Generated by OpenCVE AI on March 24, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title PM access granted through invites after access revocation
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:43:16.900Z

Reserved: 2026-03-19T18:45:22.433Z

Link: CVE-2026-33424

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T00:16:26.853

Modified: 2026-03-24T19:38:59.177

Link: CVE-2026-33424

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:49Z

Weaknesses