Primary

Context

Discourse Staged User Custom Fields Exposure Vulnerability on Public Invite Pages

Vulnerability

A vulnerability exists in Discourse versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. This issue allows staged user custom fields and usernames to be exposed on public invite pages without requiring email verification.

Impact

The vulnerability leads to unauthorized exposure of staged user custom fields and usernames on public invite pages, bypassing email verification.

Remediation

Users are advised to upgrade to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0.

Added: Apr 3, 2026, 10:25 PM

Updated: Apr 3, 2026, 10:25 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

5.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

5.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Staged User Custom Fields Exposure Vulnerability on Public Invite Pages

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating