Discourse IDOR Vulnerability in Directory Items Endpoint Allows Bulk Exfiltration of Private User Data

An IDOR vulnerability has been identified in the directory items endpoint of Discourse, an open-source discussion platform. This vulnerability, present in versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, allows any user, including anonymous users, to access private user field values for all users in the directory. The issue arises because the 'user_field_ids' parameter in 'DirectoryItemsController#index' accepts arbitrary user field IDs without proper authorization checks. This bypasses visibility restrictions that are enforced in other areas, such as through the 'UserCardSerializer' via 'Guardian#allowed_user_field_ids'. As a result, an attacker can exploit this vulnerability to request private field values, such as phone numbers or addresses, for every user in the directory, enabling bulk exfiltration of sensitive data.

Impact

Exploitation of this vulnerability allows for unauthorized access to private user data, including phone numbers, addresses, and other sensitive custom fields that administrators have designated as non-public. This vulnerability could lead to privacy violations and misuse of personal information.

Remediation

Users can upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0 to address this vulnerability. Alternatively, site administrators can remove sensitive data from private user fields or disable the user directory through the 'enable_user_directory' site setting.