Discourse Hidden Group Membership Disclosure Vulnerability via ComposerController Mentions Endpoint

A vulnerability in Discourse's ComposerController#mentions endpoint allows authenticated users to access hidden group membership information. This issue affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability arises when users can message a group and supply 'allowed_names' that reference hidden-membership groups. By probing with different usernames, an attacker can infer group membership based on the 'user_reasons' response, which may indicate 'private' for certain users. This exploitation bypasses existing group member visibility controls.

Impact

Exploitation of this vulnerability can lead to unauthorized disclosure of hidden group memberships, allowing users to gain insights into private group affiliations that should remain confidential.

Remediation

To address this vulnerability, update Discourse to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2. Additionally, for any hidden-membership groups, restrict the messageable policy to staff or group members only, preventing untrusted users from accessing the vulnerable code path.