Improper Authorization in Discourse - CVE-2024-28242
Published: March 15, 2024 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper authorization in secret categories with custom backgrounds when rendering category backgrounds. A remote attacker can access affected content handling to disclose sensitive information.
The issue can reveal the existence of secret categories when category backgrounds are set.