Exposure of Private Information ('Privacy Violation') in Discourse - CVE-2024-49765
Published: December 19, 2024 / Updated: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose private personal information.
The vulnerability exists due to improper access control in other enabled login paths when discourse connect is enabled alongside local logins. A remote attacker can create an account or log in through an alternate login path to disclose private personal information.
Only sites that use discourse connect while also keeping other login methods enabled are vulnerable.