Primary

Context

Discourse CSV Export Vulnerability for Admin-Only Reports

Vulnerability

Patched

A vulnerability in Discourse allows moderators to export CSV data from reports restricted to admins. This issue affects Discourse versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. The vulnerability arises because moderators can bypass report visibility restrictions, potentially exposing sensitive operational data meant solely for admin eyes.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive operational data by allowing moderators to export admin-only reports, such as 'top_uploads', which could be misused or disclosed inappropriately.

Reproduction

To reproduce this vulnerability, a moderator can use the CSV export endpoint to request admin-only reports. The export will be processed without the necessary visibility permissions, bypassing the restrictions in place for such reports.

Remediation

Users are advised to upgrade to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0.

Added: Mar 31, 2026, 6:50 PM

Updated: Mar 31, 2026, 6:50 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

3.1

exploitability

4.3

remediation

7.7

relevance

5.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

3.1

exploitability

4.3

remediation

7.7

relevance

5.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse CSV Export Vulnerability for Admin-Only Reports

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating