Primary

Context

Discourse Private Message Access Vulnerability via Invites

Vulnerability

A vulnerability in Discourse allows an attacker to retain access to a private message topic through invites, even after losing original access to the message. This issue is present in Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2.

Impact

Exploitation of this vulnerability allows for unauthorized access to private message topics, potentially leading to exposure of sensitive information shared within those messages.

Remediation

Users are advised to upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

Added: Mar 21, 2026, 12:28 AM

Updated: Mar 21, 2026, 12:28 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

4.4

remediation

0.0

relevance

4.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

4.4

remediation

0.0

relevance

4.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Private Message Access Vulnerability via Invites

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating