CVE-2026-47264 - Vulnerability Details

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, DetailedTagSerializer#tag_group_names returned every tag group a tag belonged to without filtering against the requesting user's visibility. With SiteSetting.tags_listed_by_group enabled, anonymous and unprivileged users hitting TagsController#info (which is exempt from requires_login) could read the names of tag groups restricted to specific user groups or non-visible categories. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Published: 2026-06-12

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Discourse, in multiple releases between 2026.1.0 and before the 4.1 patch lines, includes a flaw in DetailedTagSerializer#tag_group_names that returns every tag group a tag belongs to, even those that are restricted to specific user groups or non-visible categories. Because this information is returned without filtering by the requesting user's visibility, an attacker can learn the names of protected tag groups. The vulnerability does not provide code execution or privilege escalation; it solely reveals sensitive metadata about the forum’s organization.

Affected Systems

The bug affects the Discourse discussion platform. Versions 2026.1.0 through 2026.1.3, 2026.3.0 through 2026.3.0, and 2026.4.0 through 2026.4.0 are vulnerable. The issue was fixed in 2026.1.4, 2026.3.1, 2026.4.1 and later 2026.5.0 releases.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests that real‑world exploitation is very unlikely at present. The vulnerability is not listed in CISA’s KEV catalog, further supporting its lower exploitation probability. An unauthenticated or minimally privileged user can send a request to TagsController#info, which is exempt from authentication, to retrieve the leaking tag group names.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

discourse

affected

Version	Status	Constraints
`>= 2026.1.0-latest, < 2026.1.4`	affected	—
`>= 2026.3.0-latest, < 2026.3.1`	affected	—
`>= 2026.4.0-latest, < 2026.4.1`	affected	—

No data.

Vendor Product Confidence Versions

Discourse

100%

Version	Status	Scheme	Platform
`[2026.1.0-latest,2026.1.4)`	affected	semver	—
`[2026.3.0-latest,2026.3.1)`	affected	semver	—
`[2026.4.0-latest,2026.4.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Discourse instance to the patched versions 2026.1.4, 2026.3.1, 2026.4.1, or any later 2026.5.0 release.
If an upgrade cannot be performed immediately, disable the SiteSetting.tags_listed_by_group setting or otherwise restrict the visibility of tag group names to prevent disclosure.
As a temporary measure, restrict access to the TagsController#info endpoint by requiring authentication or removing the endpoint from publicly accessible routes.

Generated by OpenCVE AI on June 12, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/discourse/discourse/security/advisories/GHSA-4q5q-6hh6-53x2

History

Sat, 13 Jun 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Discourse Discourse discourse
Vendors & Products		Discourse Discourse discourse

Fri, 12 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, DetailedTagSerializer#tag_group_names returned every tag group a tag belonged to without filtering against the requesting user's visibility. With SiteSetting.tags_listed_by_group enabled, anonymous and unprivileged users hitting TagsController#info (which is exempt from requires_login) could read the names of tag groups restricted to specific user groups or non-visible categories. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Title		Discourse: Don't leak restricted tag group names via tag info
Weaknesses		CWE-200
References		https://github.com/discourse/discourse/security/advisories/GHSA-4q5q-6hh6-53x2
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Discourse Discourse

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T20:26:38.847Z

Updated: 2026-06-12T20:26:38.847Z

Reserved: 2026-05-18T23:03:37.229Z

Link: CVE-2026-47264

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T21:16:23.680

Modified: 2026-06-12T21:16:23.680

Link: CVE-2026-47264

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T23:45:26Z

Weaknesses

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object