Discourse Chat API Authorization Vulnerability Allowing Group Visibility Bypass and Misuse by Chat-Disabled Users

Two authorization vulnerabilities have been identified in the Discourse chat direct message API, affecting versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The first issue allows an authenticated chat user to bypass group visibility controls. When creating or modifying direct message channels, the 'target_groups' parameter was sent directly to the user resolution query without verifying group or member visibility for the user. This flaw enabled the extraction of members' identities from known private or hidden groups. The second issue arises from the 'can_chat?' check, which only considered group membership and ignored the 'chat_enabled' user preference. As a result, a chat-disabled user could manipulate the direct messages API to create or access DM channels between other users, potentially revealing private 'last_message' content from the channel's serialized response.

Impact

Exploitation of these vulnerabilities could lead to unauthorized access to private group member identities and private message content, including last message details from direct message channels.

Remediation

Users are advised to upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.