Primary

Context

Discourse Username Lookup Vulnerability Bypassing Name Privacy Settings

Vulnerability

Patched

A vulnerability in Discourse allows users to find other users and their full names through the UI or API, even when the 'enable_names' setting is turned off. This issue affects Discourse versions prior to 3.5.3, 2025.11.1, and 2025.12.0. The vulnerability arises because the search functionality did not respect the 'enable_names' site setting, allowing partial username knowledge to be exploited.

Impact

This vulnerability could lead to unauthorized disclosure of user names and full names, violating user privacy.

Reproduction

To reproduce this vulnerability, first ensure that 'enable_names' is disabled. Then, use the search feature or the API to look up a user by a partial username. The full name of the user will be returned, despite the privacy setting.

Remediation

Users can update to Discourse versions 3.5.3, 2025.11.1, or 2025.12.0 to address this vulnerability.

Added: Dec 30, 2025, 6:17 PM

Updated: Dec 30, 2025, 6:17 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

1.6

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

5.3

remediation

7.7

relevance

1.6

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Username Lookup Vulnerability Bypassing Name Privacy Settings

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating