Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin (one also involving discourse-calendar): read-only category users could create chat threads, self-deleted chat messages could be restored by their author after channel access was revoked, moderators reviewing a flagged chat message were shown the channel's current last_message (often unrelated DM content), and calendar event payloads exposed the attached chat channel and its last message to viewers without chat access (including anonymous users). This affects sites with the chat plugin enabled; the calendar issue additionally requires discourse-calendar. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the chat plugin allows users with read‑only category permissions to initiate chat threads, and lets participants restore deleted messages after channel access is revoked. Moderators reviewing flagged content are exposed to the last message of the channel, which may be unrelated direct‑message content. Calendar event payloads also expose the chat channel and its last message to anyone able to view the event, including anonymous visitors. These weaknesses, classified as CWE‑200 and CWE‑862, result in unauthorized disclosure of chat data and elevated permissions that can be abused by individuals with limited roles.

Affected Systems

Affected applications are Discourse versions 2026.1.0 through just before 2026.1.4, 2026.3.0 through just before 2026.3.1, and 2026.4.0 through just before 2026.4.1. The problem exists on sites that have the chat plugin enabled, and in the case of the calendar issue also requires the discourse‑calendar plug‑in. The patches that address all four issues are present in 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score is less than 1%, suggesting few exploit attempts have been observed. The vulnerability is not listed in CISA’s KEV catalog. Attackers are likely to benefit from the ability to create chat threads as read‑only users or to restore messages, providing a pathway for further privilege escalation or reconnaissance within the chat environment. Preventing exploitation requires applying the vendor‑issued patch or disabling the vulnerable plugins.

Generated by OpenCVE AI on June 12, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Discourse to at least 2026.5.0, which includes fixes for the chat and calendar plugins.
  • If an upgrade is not immediately possible, disable the chat plugin (and discourse‑calendar if in use) until a patched version can be applied.
  • Restrict read‑only category users from creating chat threads by adjusting role permissions in the platform settings.
  • Review moderation logs for any unusual attempts to restore deleted messages or view other users’ chat content, and investigate suspicious activity.

Generated by OpenCVE AI on June 12, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin (one also involving discourse-calendar): read-only category users could create chat threads, self-deleted chat messages could be restored by their author after channel access was revoked, moderators reviewing a flagged chat message were shown the channel's current last_message (often unrelated DM content), and calendar event payloads exposed the attached chat channel and its last message to viewers without chat access (including anonymous users). This affects sites with the chat plugin enabled; the calendar issue additionally requires discourse-calendar. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Title Discourse: Chat misauthorization and information disclosure
Weaknesses CWE-200
CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:25:09.286Z

Reserved: 2026-05-08T18:45:10.097Z

Link: CVE-2026-45085

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:23.123

Modified: 2026-06-12T21:16:23.123

Link: CVE-2026-45085

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:45:28Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-862

    Missing Authorization