Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, bot debug endpoints disclose whisper translation audit logs. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Published: 2026-06-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows disclosure of Whisper translation audit logs through bot debug endpoints. Attackers can retrieve logs that may contain sensitive user messages and user identifiers, resulting in the exposure of conversation content and user identities. This is an information‑disclosure issue classified as CWE‑200.

Affected Systems

Discourse installations running 2026.1.0 up to before 2026.1.4, 2026.3.0 up to before 2026.3.1, and 2026.4.0 up to before 2026.4.1 are affected. The patch is applied in releases 2026.1.4, 2026.3.1, 2026.4.1, and any newer 2026.5.0 versions.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1 % and absence from the KEV catalog suggest a low likelihood of exploitation. The exposed audit logs can provide attackers with sensitive conversation content and user identifiers. Based on the description, it is inferred that the bot debug endpoints are reachable via standard HTTP requests without additional authentication; an attacker who can reach the Discourse instance can issue such requests and download the sensitive logs. The vulnerability does not require privilege escalation, making the exposure widely available to any network‑connected user.

Generated by OpenCVE AI on June 12, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to version 2026.1.4 or later, as the fix is included in 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0.
  • Restrict or disable access to the bot debug endpoints so that only administrators can reach them.
  • Configure the network or application firewall to block external traffic to those debug endpoints.

Generated by OpenCVE AI on June 12, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, bot debug endpoints disclose whisper translation audit logs. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Title Discourse: Bot debug endpoints disclose whisper translation audit logs
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:22:30.408Z

Reserved: 2026-05-07T19:20:44.689Z

Link: CVE-2026-44779

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:21.503

Modified: 2026-06-12T21:16:21.503

Link: CVE-2026-44779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T23:00:08Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor