Primary

Context

Discourse Profile Data Exposure Vulnerability in User Onebox Preview

Vulnerability

Patched

A vulnerability in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows for the unintentional exposure of hidden profile information. When a user has the 'hide_profile' setting enabled, their bio, location, and website could still be accessed through the user onebox preview. An authenticated user could request a onebox for a hidden user's profile URL and receive the concealed profile details in response.

Impact

This vulnerability leads to the unauthorized disclosure of hidden profile information, including bio, location, and website, for users with the 'hide_profile' setting enabled.

Remediation

Users are advised to upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

Added: Mar 19, 2026, 10:26 PM

Updated: Mar 19, 2026, 10:26 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

3.3

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

3.3

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Profile Data Exposure Vulnerability in User Onebox Preview

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating