Discourse
Moderate fix3 remedies
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 2026.3.0-latest, < 2026.3.0-latest.1
- >= 2026.2.0-latest, < 2026.2.1
- >= 2026.1.0-latest, < 2026.1.2
Discourse Whisper Post Visibility Vulnerability in Private Messages
Vulnerability
Patched
A vulnerability in Discourse's private messaging system allowed regular participants to access whisper posts in topics they were part of. This issue was present in versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability arose because the '/private-posts' endpoint failed to implement proper post-type visibility filters, enabling unauthorized access to sensitive content.
Impact
Exploitation of this vulnerability allowed unauthorized users to view confidential whisper posts in private message topics, breaching privacy and confidentiality.
Reproduction
To reproduce this vulnerability, log in as a regular participant in a private message topic. Send a whisper post in that topic, then access the '/private-posts.json' endpoint. The response will include the whisper post, demonstrating the lack of proper visibility filtering.
Remediation
Users can upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, all of which include the necessary patch to address this vulnerability.
Added: Mar 19, 2026, 10:20 PM
Updated: Mar 19, 2026, 10:20 PM
Vulnerability Rating
Custom Algorithm
spread
2.4impact
0.6exploitability
4.3remediation
7.7relevance
4.1threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.