Primary

Context

Discourse Private Message Metadata Exposure Vulnerability

Vulnerability

Patched

A vulnerability in Discourse allows users to read private message (PM) titles and metadata from other users under certain conditions. This issue arises when the 'PM tags allowed for groups' option is enabled, the user is part of a group that has this option active, and the PM has been tagged. The vulnerability is present in Discourse versions stable through 3.3.3, beta through 3.4.0.beta4, and tests-passed through 3.4.0.beta4.

Impact

The vulnerability allows for unauthorized access to private message titles and metadata, potentially leading to privacy violations.

Remediation

Users should upgrade to the latest stable, beta, or tests-passed versions of Discourse. Those unable to upgrade should remove all groups from the 'PM tags allowed for groups' option.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

2.8

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

2.8

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Private Message Metadata Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating