Primary

Context

Discourse Policy Plugin Group Member Visibility Vulnerability

Vulnerability

A vulnerability in the Discourse Policy plugin prior to version 0.1.1 allows members of a private group to be visible to non-group members if a policy was posted in a public topic related to that group. This issue has been resolved in version 0.1.1. Users can move policy topics associated with private groups to restricted categories as a workaround.

Impact

This vulnerability could lead to unauthorized visibility of private group members to non-group members.

Reproduction

To reproduce this vulnerability, post a policy in a public topic that is linked to a private group. Group members will be visible to non-group members.

Remediation

Update to Discourse Policy plugin version 0.1.1 or later. If an immediate update is not possible, move any policy topics with private groups to restricted categories.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.0

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.0

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Policy Plugin Group Member Visibility Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating