Discourse
Moderate fix3 remedies
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 2026.1.0-latest, < 2026.1.3
- >= 2026.2.0-latest, < 2026.2.2
- >= 2026.3.0-latest, < 2026.3.0
Discourse Read Receipt Metadata Disclosure Vulnerability for Staff-Only Posts
Vulnerability
Patched
A vulnerability in Discourse allows non-staff users to access read receipt information for staff-only posts they were not supposed to see. This issue affects Discourse versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. The vulnerability arises from a lack of proper post-level authorization, which has been addressed in the patched versions by adding a necessary authorization check before returning reader data.
Impact
Exploitation of this vulnerability allowed non-staff users to access metadata indicating who had read specific staff-only posts and when, without revealing the post content itself.
Reproduction
To reproduce this vulnerability, a non-staff user can request the reader information for a whisper post that is restricted to staff members. The absence of proper authorization checks will result in the unauthorized disclosure of read receipt metadata for that post.
Remediation
Users can upgrade to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0 to address this vulnerability.
Added: Mar 31, 2026, 6:39 PM
Updated: Mar 31, 2026, 6:39 PM
Vulnerability Rating
Custom Algorithm
spread
2.4impact
0.6exploitability
4.3remediation
7.7relevance
5.0threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.