Volerion logoVolerion
Volerion logoVolerion

Discourse Unscoped Metadata Lookup Vulnerability Allows Unauthorized Access to Private Topic Data

Vulnerability

A vulnerability exists in Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, where an API endpoint improperly discloses private topic metadata of admin users to moderators. This occurs even when moderators do not have access to the private topics, creating an information disclosure risk. The issue arises from unscoped lookups in the 'CreditStatusChecker' service, which leak restricted metadata to any logged-in user, regardless of their authorization level.

Impact

Exploitation of this vulnerability allows unauthorized moderators to access private topic metadata of admin users, violating confidentiality by disclosing restricted information they should not have access to.

Reproduction

The vulnerability can be reproduced by a logged-in moderator user who requests credit status for AI agents or LLM models. The response will include private metadata from admin users, which should not be accessible to them.

Remediation

Users can update to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, where this vulnerability has been patched.

Added: Mar 19, 2026, 10:58 PM
Updated: Mar 19, 2026, 10:58 PM

Vulnerability Rating

Custom Algorithm
spread
2.4
impact
0.6
exploitability
4.3
remediation
7.7
relevance
4.1
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.