Primary

Context

Discourse Private Group Membership Inference Vulnerability

Vulnerability

Patched

A vulnerability in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows unauthenticated users to infer private group membership of specific users. This is achieved by monitoring changes in directory results when the 'exclude_groups' parameter is used. The issue has been patched in the mentioned versions, and as a temporary measure, public access to the user directory can be disabled through the admin settings.

Impact

This vulnerability could lead to unauthorized users gaining knowledge about private group memberships, which could be sensitive information.

Remediation

Users can update to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2. Alternatively, public access to the user directory can be disabled via Admin → Settings → hide user profiles from public.

Added: Mar 21, 2026, 12:28 AM

Updated: Mar 21, 2026, 12:28 AM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.3

remediation

8.3

relevance

4.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.3

remediation

8.3

relevance

4.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Private Group Membership Inference Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating