Information disclosure in Discourse - CVE-2026-27162

 

Information disclosure in Discourse - CVE-2026-27162

Published: July 1, 2026


Vulnerability identifier: #VU136117
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-27162
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in posts_nearby when returning nearby posts after checking topic access. A remote user can access excerpts that include whispers to disclose sensitive information.

The issue exposes whispers that should only be visible to users permitted to view whisper content.


How to mitigate CVE-2026-27162

Install security update from vendor's website.

Sources