A misnamed predicate in Discourse’s GroupPostSerializer caused the system to skip the privacy check for user names, resulting in every post’s full name being serialized regardless of the SiteSetting.enable_names setting. This flaw leads to inadvertent exposure of users’ real names wherever reaction posts are displayed, violating confidentiality expectations for privacy‑sensitive users. The weakness is a classic privacy disclosure (CWE‑200) and does not allow code execution or denial of service, but it does enable any viewer of affected posts to learn personal identifiers they intended to hide.

The issue appears in the Discourse open‑source discussion platform, affecting releases 2026.1.0‑2026.1.3, 2026.3.0, and 2026.4.0. The misconfiguration was resolved in versions 2026.1.4, 2026.3.1, 2026.4.1, and the 2026.5.0-latest.1 update rollback curve.

With a CVSS score of 4.3 a moderate risk is assigned. The EPSS score is below 1 %, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw simply by accessing any post that triggers the serializer, such as viewing reactions; no elevated privileges are required, and the exploitation pathway is straightforward. The primary consequence is unintended name disclosure rather than privilege escalation.