Exposure of Private Information ('Privacy Violation') in Discourse - CVE-2024-49765

 

Exposure of Private Information ('Privacy Violation') in Discourse - CVE-2024-49765

Published: December 19, 2024 / Updated: July 1, 2026


Vulnerability identifier: #VU136103
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-49765
CWE-ID: CWE-359
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose private personal information.

The vulnerability exists due to improper access control in other enabled login paths when discourse connect is enabled alongside local logins. A remote attacker can create an account or log in through an alternate login path to disclose private personal information.

Only sites that use discourse connect while also keeping other login methods enabled are vulnerable.


How to mitigate CVE-2024-49765

Install security update from vendor's website.

Sources