Discourse Authorization Bypass Vulnerability in Oneboxer Allowing Shared Draft Title Disclosure

An authorization bypass vulnerability has been identified in Discourse's Oneboxer feature, affecting versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. This vulnerability allows authenticated users to access titles of shared draft topics by sending an inline Onebox request with a category_id parameter that matches the shared drafts category. The issue arises because the Oneboxer.local_topic method skips the necessary visibility check for topics when the category IDs match, enabling users to bypass access controls and view shared draft titles, although not the content of the posts.

Impact

Exploitation of this vulnerability allows authenticated users to bypass topic-level access controls and access titles of shared draft topics, potentially leading to unauthorized disclosure of information.

Reproduction

To reproduce this vulnerability, an authenticated user can send an inline Onebox request to the '/inline-onebox.json' endpoint. The request must include a category_id parameter that matches the shared drafts category, along with the URL of a shared draft topic. If the request is successful, the response will include the title of the shared draft topic, indicating that the vulnerability has been exploited.

Remediation

Users can update to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0 to address this vulnerability. Additionally, as a temporary workaround, users can ensure that the shared_drafts_category site setting points to a read-restricted category, such as staff-only, which will block unauthorized requests before they reach the vulnerable code.