Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Published: 2026-06-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Discourse has a flaw that publishes chat events for public channels to the MessageBus without verifying that the subscriber is authorized for chat. The result is that any client listening to the MessageBus can receive potentially sensitive chat payloads. The weakness is a classic information‑disclosure vulnerability (CWE‑200).

Affected Systems

The affected product is the Discourse discussion platform. Vulnerable releases include 2026.1.0 through 2026.1.3, 2026.3.0 exclusively, and 2026.4.0 exclusively. These ranges are patched in 2026.1.4, 2026.3.1, 2026.4.1, and in all releases thereafter such as 2026.5.0.

Risk and Exploitability

The CVSS score of 7.5 labels the issue as high severity, but the EPSS score of less than 1% indicates a very low likelihood of active exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no recorded real‑world exploits. Attackers can exploit it by subscribing to the MessageBus endpoint, which is publicly reachable; no special credentials are required beyond the ability to connect to the bus. The exposure is purely informational, with no direct path to code execution or service disruption.

Generated by OpenCVE AI on June 12, 2026 at 22:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to a patched release (2026.1.4, 2026.3.1, 2026.4.1, or later 2026.5.0).
  • If an upgrade is delayed, restrict MessageBus access by limiting the network to authenticated subscribers or disabling MessageBus for unauthenticated users.
  • Monitor inbound MessageBus traffic for anomalous subscribers and verify that only chat‑enabled clients are receiving chat payloads.

Generated by OpenCVE AI on June 12, 2026 at 22:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Title Discourse: Public chat MessageBus broadcasts are not restricted to chat-eligible users
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:22:06.193Z

Reserved: 2026-05-07T19:20:44.691Z

Link: CVE-2026-44786

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:22.313

Modified: 2026-06-12T21:16:22.313

Link: CVE-2026-44786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:45:28Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor