Description
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
Published: 2026-05-19
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authorized users of a Discourse instance can read the name and structured content of form templates that belong to categories they are not authorized to access, thereby exposing site configuration metadata. The flaw is a missing authorization check, classified as CWE-862, and allows the disclosure of internal configuration information without providing additional privileges or compromising other data.

Affected Systems

The vulnerability affects the open‑source Discourse discussion platform. Versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 are impacted. Users deploying older releases of Discourse with the form templates feature enabled are susceptible to the information disclosure.

Risk and Exploitability

The CVSS score is 6, indicating moderate severity. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. The attack requires an authenticated account with the form templates feature enabled; an attacker can then request templates tied to unapproved categories to learn sensitive configuration details. Because the flaw is limited to metadata exposure, the impact does not extend to arbitrary code execution or other privileges. Prompt mitigation is still recommended.

Generated by OpenCVE AI on May 19, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Discourse version 2026.1.4 or later, including the 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 releases that contain the fix.
  • If an immediate upgrade is not possible, disable the form templates feature in the site settings to prevent unauthorised template access.
  • Review category permissions to ensure users have appropriate access and that no hidden templates remain exposed.

Generated by OpenCVE AI on May 19, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Tue, 19 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
Title Discourse: Information Disclosure in Form Template API Due to Missing Authorization
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T00:59:53.307Z

Reserved: 2026-03-20T16:59:08.891Z

Link: CVE-2026-33514

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T02:16:16.210

Modified: 2026-05-19T02:16:16.210

Link: CVE-2026-33514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T03:00:10Z

Weaknesses