This vulnerability allows an unauthenticated user to infer whether a specific individual belongs to a private group within the Discourse platform by observing differences in directory query results when the exclude_groups parameter is used. The flaw is a manifestation of information disclosure weaknesses identified by CWE‑203, CWE‑639, and CWE‑862. Because no code is executed or system state is altered, the impact is limited to revealing membership status, which can compromise user privacy and enable social engineering of the target. The vulnerability is triggered by including the exclude_groups parameter in a public directory request and monitoring the presence or absence of user entries.

Discourse, the open‑source discussion platform, is affected in all releases older than 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2. Those specific releases contain the patch that removes the inferential leakage.

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1 percent suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation is straightforward: an attacker sends an unauthenticated HTTP request to the public directory endpoint, supplies the exclude_groups parameter, and inspects the returned list to determine group membership. No special privileges or credentials are required, and the attack can be performed by any observer of the public directory API.