Discourse Missing Authorization Vulnerability in Data Explorer Query Group Bookmarks Allowing Unauthorized Metadata Disclosure
Vulnerability
A vulnerability in Discourse's Data Explorer feature prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, allows logged-in users to create bookmarks for query groups they do not have access to. This issue arises from the absence of proper authorization validation, which could lead to unauthorized metadata disclosure through bookmark reminder notifications. The vulnerability has been addressed in the mentioned versions by implementing the necessary authorization checks and ensuring that the `validate_before_create` method in the BaseBookmarkable class properly raises a NotImplementedError if not implemented, preventing similar vulnerabilities in the future.
Impact
Exploitation of this vulnerability could result in unauthorized access to metadata from restricted query groups, facilitated by the creation of bookmarks that trigger reminder notifications disclosing the accessed information.
Remediation
Users are advised to upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.