Improper access control in Discourse - CVE-2024-52589
Published: December 19, 2024 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Screened emails list in the admin dashboard when handling moderator access. A remote privileged user can view the Screened emails list to disclose sensitive information.
The issue can expose a user's email address even when the "moderators view emails" option is disabled.