Volerion logoVolerion
Volerion logoVolerion

Discourse Information Disclosure Vulnerability in Form Template API

Vulnerability

A vulnerability exists in Discourse versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1, allowing authenticated users to access the names and structured contents of form templates from categories they are not authorized to view. This issue arises on Discourse instances with the form templates feature enabled and is limited to the unauthorized disclosure of site configuration metadata.

Impact

Exploitation of this vulnerability could lead to unauthorized access to form template data, including names and structured content, from restricted categories.

Reproduction

To reproduce this vulnerability, an authenticated user must access a Discourse instance with the form templates feature enabled. The user can then call the '/form-templates' or '/form-templates/:id' endpoints. Without proper authorization checks, the response will include form templates from private or restricted categories that the user is not allowed to access.

Remediation

Users should update Discourse to version 2026.5.0-latest.1, 2026.4.1, 2026.3.1, or 2026.1.4.

Added: May 19, 2026, 2:19 AM
Updated: May 19, 2026, 2:19 AM

Vulnerability Rating

Custom Algorithm
spread
2.4
impact
0.6
exploitability
4.3
remediation
7.7
relevance
8.6
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.