Primary

Context

Discourse Overly Permissive Allowlist Vulnerability in CSV Export Endpoint Allows Unauthorized Chat DM Exports

Vulnerability

Patched

A vulnerability in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, allowed moderators to export user Chat direct messages through an overly permissive allowlist in the 'can_export_entity?' method. This flaw enabled the export of any entity not explicitly blocked, rather than adhering to a strict allowlist. The issue has been patched in versions 2025.12.2, 2026.1.1, and 2026.2.0.

Impact

Exploitation of this vulnerability allowed moderators to improperly export user Chat direct messages via the CSV export endpoint.

Remediation

Users are advised to upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0.

Added: Feb 26, 2026, 10:32 PM

Updated: Feb 26, 2026, 10:32 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Overly Permissive Allowlist Vulnerability in CSV Export Endpoint Allows Unauthorized Chat DM Exports

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating