SB2026070151 - Multiple vulnerabilities in Discourse
Published: July 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 64 vulnerabilities.
CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute script in the victim's browser.
The vulnerability exists due to cross-site scripting in the rich text editor quote message functionality when parsing and rendering chat channel titles and chat thread titles. A remote user can craft a malicious title and trigger quote message rendering to execute script in the victim's browser.
User interaction is required to view content rendered through the quote message functionality in the rich text editor.
2) Cross-site scripting (CVE-ID: CVE-2026-27154)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in the post editing feature when rendering a malicious user's full name as raw HTML. A remote user can set a crafted full name and trick another user into editing a post to execute arbitrary script in a victim's browser.
Only instances with display_name_on_posts enabled and prioritize_username_in_ux disabled are vulnerable.
3) Missing Authorization (CVE-ID: CVE-2026-27151)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper access control in the move_posts action when moving posts between topics. A remote user can move posts into a destination topic without having write permissions there to bypass authorization checks.
This affects TL4 users and category group moderators, including cases involving read-only categories or categories with group-restricted write access.
4) Information disclosure (CVE-ID: CVE-2026-27162)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in posts_nearby when returning nearby posts after checking topic access. A remote user can access excerpts that include whispers to disclose sensitive information.
The issue exposes whispers that should only be visible to users permitted to view whisper content.
5) Missing Authorization (CVE-ID: CVE-2026-27150)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in Data Explorer's QueryGroupBookmarkable when creating query group bookmarks. A remote user can create a bookmark for a query group they do not have access to in order to disclose sensitive information.
Exploitation can expose query group metadata through bookmark reminder notifications.
6) SQL injection (CVE-ID: CVE-2026-27149)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose unauthorized private message metadata.
The vulnerability exists due to sql injection in list_private_messages_tag when filtering private messages by tag. A remote user can supply a specially crafted tag filter to disclose unauthorized private message metadata.
7) Incorrect authorization (CVE-ID: CVE-2026-33410)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the chat direct message API when creating a direct message channel or adding users to an existing one. A remote user can send a specially crafted API request with a known private or hidden group name to disclose sensitive information.
The issue can expose the identities of members of private or hidden groups.
8) Information disclosure (CVE-ID: CVE-2026-33355)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the /private-posts endpoint when handling requests for private message topics. A remote user can request the private-posts feed for a PM topic they can access to disclose sensitive information.
Only regular PM participants could view whisper posts in PM topics they already had access to.
9) Information disclosure (CVE-ID: CVE-2026-32099)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the user onebox preview when handling requests for a hidden user's profile URL. A remote user can request a onebox for a hidden user's profile URL to disclose sensitive information.
Hidden profile fields exposed in the response include the user's bio, location, and website.
10) Information disclosure (CVE-ID: CVE-2026-33394)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the Post Edits admin report (/admin/reports/post_edits) when displaying post edit data. A remote privileged user can view the report to disclose sensitive information.
The issue exposed the first 40 characters of raw post content from private messages and secure categories to moderators without access to that content.
11) Improper access control (CVE-ID: CVE-2026-33393)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass spam protection.
The vulnerability exists due to improper access control in the allowed_spam_host_domains check when validating host domains against the allowlist. A remote user can use a crafted domain name with an allowlisted suffix to bypass spam protection.
The issue stems from using suffix-based hostname matching without validating a domain boundary, which can affect enforcement of newuser_spam_host_threshold.
12) Missing Authorization (CVE-ID: CVE-2026-27454)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to missing authorization in the posts endpoint when requesting /posts/:id.json with a version parameter. A remote attacker can enumerate version numbers to disclose sensitive information.
Hidden post revisions intended to be concealed by staff can be exposed.
13) Cross-site scripting (CVE-ID: CVE-2026-27166)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify the URL of the main page.
The vulnerability exists due to improper neutralization of input in the default Codepen allowed iframes value when processing prohibited iframe URLs. A remote user can craft content that tricks a user into changing the URL of the main page to modify the URL of the main page.
User interaction is required.
14) Cross-site scripting (CVE-ID: CVE-2026-33395)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject malicious JavaScript code.
The vulnerability exists due to cross-site scripting in the discourse-graphviz plugin when processing DOT graph definitions. A remote user can submit a specially crafted graph definition to inject malicious JavaScript code.
Only instances with CSP disabled are vulnerable. User interaction is required to view the stored content.
15) Improper access control (CVE-ID: CVE-2026-27491)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to issue unauthorized warnings to other users.
The vulnerability exists due to improper access control in the post actions API endpoint when handling specifically crafted requests. A remote user can send a specifically crafted request to issue unauthorized warnings to other users.
Exploitation requires the attacker to be logged in. No data exposure or privilege escalation beyond creating unauthorized user warnings is possible.
16) Improper Authorization (CVE-ID: CVE-2026-33408)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper authorization in the "Post Edits" report for moderators when viewing post edit history. A remote privileged user can access the first 40 characters of post edits in private messages and private categories to disclose sensitive information.
The issue is limited to the first 40 characters of edited content.
17) Improper access control (CVE-ID: CVE-2026-31805)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks to modify poll state and disclose limited information about inaccessible polls.
The vulnerability exists due to improper access control in DiscoursePoll::PollsController vote, remove_vote, and toggle_status endpoints when handling a post_id array parameter. A remote attacker can send a specially crafted request with post_id supplied as an array to bypass authorization checks to modify poll state and disclose limited information about inaccessible polls.
The authorization check resolves to an accessible post while the poll lookup resolves to a different post's poll.
18) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-31869)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper authorization in ComposerController#mentions when handling requests with user-supplied allowed_names values. A remote user can supply a crafted allowed_names parameter and probe usernames to disclose sensitive information.
The issue allows inference of hidden group membership based on whether user_reasons returns "private" for a given user.
19) Input validation error (CVE-ID: CVE-2026-33427)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to conduct social engineering attacks against users.
The vulnerability exists due to improper input validation in the authorization page when displaying a redirect domain. A remote attacker can supply an attacker-controlled domain to conduct social engineering attacks against users.
20) Cross-site scripting (CVE-ID: CVE-2026-27740)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script code in a staff member's browser.
The vulnerability exists due to improper neutralization of script-related html tags in the Review Queue interface when rendering raw AI LLM output with htmlSafe. A remote user can use prompt injection techniques to cause the AI to return a malicious payload to execute arbitrary script code in a staff member's browser.
User interaction is required when a staff member views the flagged post in the Review Queue.
21) Cross-site scripting (CVE-ID: CVE-2026-27570)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.
The vulnerability exists due to cross-site scripting in the SharedAiConversation onebox method when rendering a shared AI conversation title into HTML. A remote user can create a shared AI conversation with a crafted title to execute arbitrary script code in a victim's browser.
22) Improper access control (CVE-ID: CVE-2026-27936)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in restricted post action counts when handling a carefully crafted request. A remote user can send a carefully crafted request to disclose sensitive information.
23) Improper access control (CVE-ID: CVE-2026-27934)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the user action API endpoint when handling requests for user actions. A remote attacker can request user action data to disclose sensitive information.
The issue may expose the title and post excerpt of private topics to unauthorized users.
24) Improper access control (CVE-ID: CVE-2026-27935)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in an API endpoint when handling requests for private topic metadata. A remote user can send a request to disclose sensitive information.
The issue exposes private topic metadata of admin users to moderator users who do not have access to the private topics.
25) Improper access control (CVE-ID: CVE-2026-28282)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the discourse-policy plugin when processing policies with the add-users-to-group attribute. A remote user can create a policy that adds themselves to a private or restricted group to disclose sensitive information.
Successful exploitation allows access to private topics restricted to the affected group.
26) Improper access control (CVE-ID: CVE-2026-29072)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to create functional policy acceptance widgets in posts.
The vulnerability exists due to improper access control in the discourse-policy plugin when creating policy widgets in posts. A remote user can create a policy acceptance widget to create functional policy acceptance widgets in posts.
Only users who do not belong to the allowed policy creation groups are able to exploit this issue under the right conditions.
27) Improper access control (CVE-ID: CVE-2026-33291)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to create Zendesk tickets for topics they do not have access to view.
The vulnerability exists due to improper access control in the Zendesk ticket creation functionality when handling ticket creation for topics. A remote user can create a Zendesk ticket for a topic they cannot view to create Zendesk tickets for topics they do not have access to view.
Only forums that use the Zendesk plugin are vulnerable.
28) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-32114)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key in unscoped status lookups when providing identifiers for AI personas, features, and LLM models. A remote user can supply crafted identifiers to disclose sensitive information.
The disclosed metadata may include credit allocations and usage statistics.
29) Observable discrepancy (CVE-ID: CVE-2026-33425)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to infer private group membership or group existence.
The vulnerability exists due to observable discrepancy in the user directory exclude_groups parameter handling when processing directory requests with user-supplied exclude_groups values. A remote attacker can send crafted requests with the exclude_groups parameter and observe changes in directory results to infer private group membership or group existence.
30) Improper access control (CVE-ID: CVE-2026-33428)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the deleted posts index endpoint when handling requests. A remote user can access deleted posts belonging to any user to disclose sensitive information.
The issue affects non-staff users with elevated group membership.
31) Improper access control (CVE-ID: CVE-2026-30891)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the user actions endpoint when handling requests for user activity. A remote user can request another user's private activity to disclose sensitive information.
32) Improper access control (CVE-ID: CVE-2026-30889)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in post metadata access controls in the discourse-user-notes functionality when handling requests for post data. A remote user can access metadata of posts they should not have permission to view to disclose sensitive information.
The issue affects moderators.
33) Cross-site scripting (CVE-ID: CVE-2026-33411)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in a user's browser.
The vulnerability exists due to cross-site scripting in topic titles in the solved posts stream when rendering topic titles. A remote user can create a topic with a specially crafted title to execute arbitrary script in a user's browser.
34) Improper access control (CVE-ID: CVE-2026-33251)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify solution acceptance state for hidden solved topics.
The vulnerability exists due to improper access control in hidden Solved topics when handling solution acceptance actions. A remote user can accept or unaccept solutions to modify solution acceptance state for hidden solved topics.
35) Improper access control (CVE-ID: CVE-2026-30888)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify site policy documents.
The vulnerability exists due to improper access control in the suspend/silence endpoint when handling an arbitrary post_id. A remote user can supply a crafted post_id to modify site policy documents.
The issue allows modification of the terms of service, guidelines, and privacy policy despite those documents being explicitly restricted from moderators.
36) Improper access control (CVE-ID: CVE-2026-33424)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote privileged user to disclose sensitive information and modify access to a private message topic.
The vulnerability exists due to improper access control in the private message invite mechanism when handling invites after access to the private message has been revoked. A remote privileged user can send an invite to grant access to the private message topic to disclose sensitive information and modify access to a private message topic.
User interaction is required to accept the invite.
37) Improper access control (CVE-ID: CVE-2026-33423)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify any user's group notification level.
The vulnerability exists due to improper access control in group notification level handling when processing modification requests. A remote user can send a crafted request to modify any user's group notification level.
38) Improper access control (CVE-ID: CVE-2026-33426)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify hidden tags and create unauthorized tag synonyms.
The vulnerability exists due to improper access control in tag editing and tag synonym management when handling tag modification requests for hidden tags in restricted tag groups. A remote privileged user can edit a hidden tag or create a synonym for it to modify hidden tags and create unauthorized tag synonyms.
User interaction is required.
39) Improper access control (CVE-ID: CVE-2026-33422)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the review queue when displaying details of flagged users. A remote user can access the review queue to view the exposed ip_address of a flagged user and disclose sensitive information.
User interaction is required to access the review queue.
40) Improper access control (CVE-ID: CVE-2026-44779)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in AI debug audit logs when handling access to bot debug endpoints. A remote user can access whisper translation audit logs to disclose sensitive information.
By default, no users have access to the AI debug audit logs.
41) Improper access control (CVE-ID: CVE-2026-44782)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in GroupPostSerializer when serializing reaction post associations. A remote user can access serialized post data to disclose sensitive information.
Hidden full names may be exposed even when the site setting intended to disable name display is enabled.
42) Improper access control (CVE-ID: CVE-2026-44783)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject content into staff-only whisper posts.
The vulnerability exists due to improper access control in replies to whisper posts when handling reply submissions. A remote user can submit a reply to a whisper post to inject content into staff-only whisper posts.
Only sites with whispers enabled are affected, and the injected content is visible to whisperers alongside legitimate whispers.
43) Improper access control (CVE-ID: CVE-2026-44786)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in public chat MessageBus broadcasts when publishing chat events for public category channels. A remote attacker can subscribe to MessageBus and receive chat message payloads in real time to disclose sensitive information.
The issue affects subscribers without chat enabled.
44) Improper access control (CVE-ID: CVE-2026-45085)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the chat plugin and discourse-calendar integration when rendering calendar event payloads and flagged chat message review content. A remote attacker can access crafted or affected content to disclose sensitive information.
Affects sites with the chat plugin enabled; the calendar-related exposure additionally requires discourse-calendar, and anonymous users may be able to view exposed chat channel details and the last message without chat access.
45) Improper access control (CVE-ID: CVE-2026-44784)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the group history log endpoint when handling requests to view group logs. A remote user can access /groups/:name/logs.json for a group they own to disclose sensitive information.
This affects sites that use per-group SMTP credentials and assign group ownership to users who should not have access to those credentials.
46) Improper access control (CVE-ID: CVE-2026-44785)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the AI "explain" helper when explaining a reply to a hidden parent post. A remote user can invoke the "Explain" feature on the reply to disclose sensitive information.
Only authenticated users with access to the AI helper feature are able to exploit this issue.
47) Path traversal (CVE-ID: CVE-2026-45775)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive backup information.
The vulnerability exists due to path traversal in backup download handling when processing a crafted backup download request in a multisite deployment with local backup storage. A remote privileged user can send a specially crafted backup download request to disclose sensitive backup information.
Only multisite deployments using local backup storage are affected. Deployments using S3 backup storage are not affected.
48) Information disclosure (CVE-ID: CVE-2026-47264)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in DetailedTagSerializer#tag_group_names when handling tag info requests. A remote attacker can send a request to TagsController#info to disclose sensitive information.
Only instances with SiteSetting.tags_listed_by_group enabled are vulnerable, and the issue can expose names of tag groups restricted to specific user groups or non-visible categories.
49) Improper access control (CVE-ID: CVE-2026-34154)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain unauthorized access to subscription-gated groups.
The vulnerability exists due to improper access control in the discourse-subscriptions plugin when handling subscription-based group access. A remote user can obtain access to a subscription-gated group without completing payment to gain unauthorized access to subscription-gated groups.
50) Missing Authorization (CVE-ID: CVE-2026-33514)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the form template API when handling requests for form templates. A remote user can send a request to read the name and structured content of form templates to disclose sensitive information.
Only instances with the form templates feature enabled are vulnerable.
51) Information disclosure (CVE-ID: CVE-2026-44780)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in ReviewableQueuedPostSerializer when rendering queued posts received via incoming email. A remote user can access the review queue to read the full raw incoming email content and disclose sensitive information.
The exposed content may include headers, sender trace, mail user agent information, and message body, and affects users who are not in the groups allowed to view raw email.
52) Information disclosure (CVE-ID: CVE-2026-47263)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the MessageBus.publish call for /web_hook_events/ in Jobs::RedeliverWebHookEvents when processing webhook redeliveries. A remote attacker can subscribe to the channel and enumerate sequential webhook IDs to disclose sensitive information.
On instances where login_required is disabled, anonymous users can access the channel. The exposed payload may include request and response headers and bodies, private post content, user PII, and data returned by third-party endpoints.
53) Improper access control (CVE-ID: CVE-2026-32244)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose removed content.
The vulnerability exists due to improper access control in cached AI summaries when serving previously generated summaries. A remote attacker can access outdated summaries to disclose removed content.
The issue affects anonymous and unprivileged users who cannot regenerate summaries.
54) Improper access control (CVE-ID: CVE-2026-46413)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify files in the admin backup store.
The vulnerability exists due to improper access control in direct S3 multipart uploads to the backup store when handling multipart upload requests. A remote user can upload files to the S3 backup store to modify files in the admin backup store.
55) Improper access control (CVE-ID: CVE-2026-49256)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in category and group endpoints when exposing category serializer data for publicly readable categories with restricted tag groups attached as allowed_tags, allowed_tag_groups, or required tag groups. A remote attacker can access those endpoints to disclose sensitive information.
Only sites that use tag group restrictions and attach those restricted tags or tag groups to publicly readable categories are affected.
56) Improper access control (CVE-ID: CVE-2026-44787)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information and post whisper content.
The vulnerability exists due to improper access control in the signup flow when assigning primary_group_id during account registration. A remote attacker can register a new account with a primary_group_id that grants whisper-group privileges to disclose sensitive information and post whisper content.
Only sites that have configured the whispers_allowed_groups setting to include one or more groups are affected. The default configuration is not affected.
57) Improper access control (CVE-ID: CVE-2026-45788)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in secure uploads when copying hotlinked images. A remote attacker can copy a hotlinked image with a known secure upload URL to disclose sensitive information.
Only sites with the secure_uploads setting enabled are vulnerable.
58) Improper access control (CVE-ID: CVE-2026-45780)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in private event invitee serialization when rendering event data to users who can view the topic. A remote attacker can view a topic containing a private event to disclose sensitive information.
Exposed information may include invited group names, sample invitees, and attendance statistics for the private event.
59) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in post revision diffs when viewing visible diffs on adjacent revisions. A remote attacker can access adjacent visible diffs to disclose sensitive information.
Hidden post revisions intended to be unavailable to regular users may be exposed through revision comparisons.
60) Improper access control (CVE-ID: CVE-2026-53961)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disable a targeted user's email delivery and cause a denial of service.
The vulnerability exists due to improper access control in the AWS SES bounce webhook endpoint when processing SNS bounce notifications. A remote attacker can publish validly signed but forged bounce notifications from an untrusted SNS topic to disable a targeted user's email delivery and cause a denial of service.
Exploitation requires that the email webhooks endpoint is exposed and that the site uses AWS SES with SNS for bounce handling. No forum account or victim interaction is required.
61) Input validation error (CVE-ID: CVE-2026-55420)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper input validation in PDF upload processing when handling uploaded PDF files under certain non-default configurations. A remote user can upload a specially crafted PDF file to execute arbitrary code.
Only installations using certain non-default configurations are vulnerable.
62) Cross-site scripting (CVE-ID: CVE-2026-53962)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.
The vulnerability exists due to insufficient sanitization in SVG handling when processing crafted SVG content via specific URLs. A remote user can supply crafted content and trick the victim into visiting specific URLs to execute arbitrary script code in the victim's browser.
User interaction is required to visit specific URLs, which are not normally part of the community browsing experience. The issue occurs only under some site configurations.
63) Cross-site scripting (CVE-ID: CVE-2026-55424)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript code in the victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in the topic featured link rendering in the topic list when rendering a user-supplied featured link. A remote user can set a crafted featured link to execute arbitrary JavaScript code in the victim's browser.
This issue is exploitable only on sites that have modified or disabled the default Content Security Policy, and any user viewing a topic list containing the affected topic may be targeted.
64) Cross-site scripting (CVE-ID: CVE-2026-53963)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to cross-site scripting in the 2FA delete confirmation modal when rendering a malicious 2FA name. A remote user can use a malicious name for a 2FA on an attacker-controlled account to escalate privileges.
User interaction is required when an administrator impersonates the attacker-controlled account.
Remediation
Install update from vendor's website.
References
- https://github.com/discourse/discourse/security/advisories/GHSA-7p47-8m82-m2vf
- https://github.com/discourse/discourse/security/advisories/GHSA-xv43-5gcp-wgw8
- https://github.com/discourse/discourse/security/advisories/GHSA-m69h-9m2g-cfgw
- https://github.com/discourse/discourse/security/advisories/GHSA-gffm-43j4-372w
- https://github.com/discourse/discourse/security/advisories/GHSA-rw95-54qr-qrw8
- https://github.com/discourse/discourse/security/advisories/GHSA-m6qf-h49w-h38w
- https://github.com/discourse/discourse/security/advisories/GHSA-2m5j-6v2r-cq2h
- https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq
- https://github.com/discourse/discourse/security/advisories/GHSA-q83g-cj26-j4x5
- https://github.com/discourse/discourse/security/advisories/GHSA-wxvr-pm5c-829p
- https://github.com/discourse/discourse/security/advisories/GHSA-95r5-p6qr-hgw6
- https://github.com/discourse/discourse/security/advisories/GHSA-fq69-f929-wp96
- https://github.com/discourse/discourse/security/advisories/GHSA-h653-cq78-vjj2
- https://github.com/discourse/discourse/security/advisories/GHSA-23c7-gq89-xm5v
- https://github.com/discourse/discourse/security/advisories/GHSA-xq37-5fvf-4m4j
- https://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c
- https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823
- https://github.com/discourse/discourse/security/advisories/GHSA-5f9h-vp7v-7vq5
- https://github.com/discourse/discourse/security/advisories/GHSA-9vhg-2mx3-mqfr
- https://github.com/discourse/discourse/security/advisories/GHSA-95hc-42c6-wvvr
- https://github.com/discourse/discourse/security/advisories/GHSA-hfxw-89hw-vwmv
- https://github.com/discourse/discourse/security/advisories/GHSA-v9r3-p863-6f25
- https://github.com/discourse/discourse/security/advisories/GHSA-824f-66wh-xx3g
- https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76
- https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf
- https://github.com/discourse/discourse/security/advisories/GHSA-7ph8-vprq-4jrp
- https://github.com/discourse/discourse/security/advisories/GHSA-p26h-jqr4-r6j7
- https://github.com/discourse/discourse/security/advisories/GHSA-3cvr-pm4c-hx96
- https://github.com/discourse/discourse/security/advisories/GHSA-r6rh-xvf5-r5f2
- https://github.com/discourse/discourse/security/advisories/GHSA-frcw-p4mc-x6mp
- https://github.com/discourse/discourse/security/advisories/GHSA-ww5f-24g5-c33g
- https://github.com/discourse/discourse/security/advisories/GHSA-5qm9-r98f-g4mq
- https://github.com/discourse/discourse/security/advisories/GHSA-j3mm-ghh2-83x2
- https://github.com/discourse/discourse/security/advisories/GHSA-vm2x-9h8x-7jxm
- https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96
- https://github.com/discourse/discourse/security/advisories/GHSA-hgcp-p7hq-cwxw
- https://github.com/discourse/discourse/security/advisories/GHSA-qggq-wr6h-vhrg
- https://github.com/discourse/discourse/security/advisories/GHSA-2289-4m46-2hxh
- https://github.com/discourse/discourse/security/advisories/GHSA-x32r-45vg-vm84
- https://github.com/discourse/discourse/security/advisories/GHSA-x6mr-wjq6-495j
- https://github.com/discourse/discourse/security/advisories/GHSA-h3mq-9r6w-h33j
- https://github.com/discourse/discourse/security/advisories/GHSA-98ch-mgfj-wqpw
- https://github.com/discourse/discourse/security/advisories/GHSA-j7wq-rf5c-8783
- https://github.com/discourse/discourse/security/advisories/GHSA-rw8j-p2gv-q33w
- https://github.com/discourse/discourse/security/advisories/GHSA-94c5-j24g-r99f
- https://github.com/discourse/discourse/security/advisories/GHSA-7h76-fwxc-j586
- https://github.com/discourse/discourse/security/advisories/GHSA-5j6v-4x6g-9pg5
- https://github.com/discourse/discourse/security/advisories/GHSA-4q5q-6hh6-53x2
- https://github.com/discourse/discourse/security/advisories/GHSA-pjgj-7mjq-6j7g
- https://github.com/discourse/discourse/security/advisories/GHSA-w6g7-p2p9-2m5h
- https://github.com/discourse/discourse/security/advisories/GHSA-h2jr-whpx-6w63
- https://github.com/discourse/discourse/security/advisories/GHSA-wvrm-9v64-m96p
- https://github.com/discourse/discourse/security/advisories/GHSA-hjmg-2mww-vfvx
- https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7
- https://github.com/discourse/discourse/security/advisories/GHSA-mwp7-572g-6qpx
- https://github.com/discourse/discourse/security/advisories/GHSA-vmwq-jvxx-jwfx
- https://github.com/discourse/discourse/security/advisories/GHSA-3876-w96v-8v38
- https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7
- https://github.com/discourse/discourse/security/advisories/GHSA-q456-4f8q-42vx
- https://github.com/discourse/discourse/security/advisories/GHSA-8f9m-v436-wr3x
- https://github.com/discourse/discourse/security/advisories/GHSA-7wq5-jgww-5rw3
- https://github.com/discourse/discourse/security/advisories/GHSA-jmcf-3367-78vv
- https://github.com/discourse/discourse/security/advisories/GHSA-695w-7fv8-mxg3
- https://github.com/discourse/discourse/security/advisories/GHSA-wg5x-7f23-m3r5