Discourse Sensitive Data Exposure Vulnerability for Non-Admin Moderators

A vulnerability in Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows non-admin moderators to access sensitive information in staff action logs that should be restricted to administrators. The exposed data includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This access enables moderators to bypass intended access controls and extract confidential information by monitoring the staff action logs. Additionally, leaked webhook secrets could be used to spoof webhook events to integrated services.

Impact

The vulnerability allows non-admin moderators to access and extract sensitive information from staff action logs, bypassing intended access controls. This could lead to unauthorized disclosure of confidential data, including private messages and restricted category information.

Remediation

Users can upgrade to Discourse versions 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users.