Discourse Unauthorized Channel Membership Inference Vulnerability

A vulnerability allowing unauthorized inference of channel membership has been identified in Discourse versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. This issue arises from the chat user search feature, which can be exploited to deduce channel memberships without proper authorization.

Impact

Exploitation of this vulnerability could lead to unauthorized users inferring channel memberships, potentially allowing them to access private discussions or direct messages.

Reproduction

The vulnerability can be reproduced by sending a chat user search request that includes the 'excluded_memberships_channel_id' parameter. If the specified channel is private and the user does not have access to it, the response will still include information about users in that channel, thereby allowing inference of channel membership.

Remediation

Users can update to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0 to address this vulnerability. As a temporary measure, chat can be disabled entirely or restricted to trusted groups.