SB2026070156 - Multiple vulnerabilities in Discourse



SB2026070156 - Multiple vulnerabilities in Discourse

Published: July 1, 2026

Security Bulletin ID SB2026070156
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 17
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 12% Low 88%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 17 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-32951)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in Oneboxer.local_topic when handling an inline onebox request with a user-controlled category_id parameter. A remote user can send a specially crafted inline onebox request to disclose sensitive information.

Only shared draft topic titles are exposed; post content is not disclosed.


2) Improper access control (CVE-ID: CVE-2026-33415)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the sentiment analytics endpoint when handling requests for category analytics data. A remote user can send a request to retrieve post content, topic titles, and usernames from categories they are not authorized to view to disclose sensitive information.

Exploitation requires moderator-level access.


3) Information disclosure (CVE-ID: CVE-2026-33073)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper isolation of stripe API keys in the discourse-subscriptions plugin when operating in a multisite cluster. A remote user can access stripe-related information from another site to disclose sensitive information.

Only multisite cluster deployments are affected.


4) Improper access control (CVE-ID: CVE-2026-33074)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to gain access to higher tier subscription benefits.

The vulnerability exists due to improper access control in the discourse-subscriptions plugin when processing subscription purchases. A remote user can purchase a lower tier subscription and grant themselves higher tier benefits to gain access to higher tier subscription benefits.


5) Improper access control (CVE-ID: CVE-2026-33300)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the Category Chatables Controller show action when handling requests to the `category-chatables` endpoint. A remote user can send a request to obtain hidden group names and user count information to disclose sensitive information.

The issue exposes hidden group metadata to moderators.


6) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33185)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to probe internal network infrastructure.

The vulnerability exists due to server-side request forgery (SSRF) in the group email settings test endpoint when handling test requests. A remote user can submit a crafted request to make the server initiate outbound connections to arbitrary hosts and ports to probe internal network infrastructure.

The endpoint was accessible to non-staff group owners.


7) Improper access control (CVE-ID: CVE-2026-34947)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in public invite pages when handling invite page requests without email verification. A remote attacker can access a public invite page to disclose sensitive information.

Exposed information includes staged user custom fields and the username.


8) Improper access control (CVE-ID: CVE-2026-32620)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in whisper read receipt metadata for staff-only posts when handling requests for post metadata. A remote user can access read receipt information for staff-only posts to disclose sensitive information.

No post content is exposed; only metadata about who read the post and when can be disclosed.


9) Improper access control (CVE-ID: CVE-2026-32619)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify poll state in topics they should no longer have access to.

The vulnerability exists due to improper access control in poll handling for private category topics when processing poll interactions after topic access has been revoked. A remote user can vote in polls or toggle poll status to modify poll state in topics they should no longer have access to.

No topic content is exposed. Exploitation requires that the user previously had access to the topic and later lost that access.


10) Open redirect (CVE-ID: CVE-2026-32113)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to redirect users to an arbitrary external site.

The vulnerability exists due to improper input validation in the enter action of StaticController when processing the sso_destination_url cookie during authentication via the /login endpoint. A remote attacker can set a crafted cookie value to redirect users to an arbitrary external site.

Only sites with DiscourseConnect Provider enabled are vulnerable, and exploitation requires the ability to set cookies in the victim's browser.


11) Improper access control (CVE-ID: CVE-2026-32143)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the report export functionality when exporting admin-restricted reports. A remote user can export CSV data for admin-restricted reports to disclose sensitive information.


12) Cross-site scripting (CVE-ID: CVE-2026-32243)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in the discourse-ai shared conversations onebox preview when rendering crafted conversation titles. A remote user can create a shared AI conversation with a specially crafted title to execute arbitrary script code in the victim's browser.

This may allow session hijacking or unauthorized actions on behalf of the victim.


13) Improper access control (CVE-ID: CVE-2026-32615)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform privileged actions on topics in restricted categories without read access.

The vulnerability exists due to improper access control in category group moderator permissions when accessing topics in private categories without read access. A remote user can perform moderator actions on those topics to perform privileged actions on topics in restricted categories without read access.


14) Cross-site scripting (CVE-ID: CVE-2026-32607)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of a user viewing an affected topic.

The vulnerability exists due to cross-site scripting in assignment-related UI rendering paths when rendering unescaped user or group display names. A remote user can set a crafted assignee name to execute arbitrary JavaScript in the browser of a user viewing an affected topic.

Only sites with the assign plugin enabled and the hidden prioritize_full_name_in_ux site setting manually enabled via console are vulnerable.


15) Improper access control (CVE-ID: CVE-2026-32618)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in chat user search when processing the excluded_memberships_channel_id parameter. A remote user can query chat user search with a crafted excluded_memberships_channel_id value to disclose sensitive information.


16) Improper access control (CVE-ID: CVE-2026-27481)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in tag routes when handling requests for hidden tag data. A remote attacker can request staff-only tag routes to disclose sensitive information.

Only instances with tagging enabled and staff-only tag groups configured are vulnerable.


17) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2026-32273)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in category description update handling via API when processing a user-supplied description string. A remote user can submit a crafted category description via the API to execute arbitrary script in a victim's browser.

User interaction is required for the crafted content to be viewed.


Remediation

Install update from vendor's website.