Discourse
Moderate fix3 remedies
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 2026.1.0-latest, < 2026.1.3
- >= 2026.2.0-latest, < 2026.2.2
- >= 2026.3.0-latest, < 2026.3.0
Discourse Authorization Bypass Vulnerability in Category Chatables Controller
Vulnerability
Patched
An authorization bypass vulnerability has been identified in Discourse versions 2026.1.0-latest to prior to 2026.1.3, 2026.2.0-latest to prior to 2026.2.2, and 2026.3.0-latest to prior to 2026.3.0. This vulnerability allows moderators to access information about hidden groups, including group names and user counts, through the Category Chatables Controller show action. The issue arises because the Chatables permissions endpoint does not properly respect group visibility rules, exposing owner-only or private groups to moderators.
Impact
Exploitation of this vulnerability could lead to unauthorized access to hidden group information, including names and member counts, by moderators.
Reproduction
To reproduce this vulnerability, a moderator can request the Chat category chatables permissions endpoint for a private category that includes a hidden group. The response will include the names and member counts of groups that should not be visible to the moderator, demonstrating the authorization bypass.
Remediation
Users are advised to upgrade to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0, where this vulnerability has been patched.
Added: Mar 31, 2026, 6:26 PM
Updated: Mar 31, 2026, 6:26 PM
Vulnerability Rating
Custom Algorithm
spread
2.4impact
0.6exploitability
4.3remediation
7.7relevance
5.0threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.