Incorrect authorization in Discourse - CVE-2026-33410
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the chat direct message API when creating a direct message channel or adding users to an existing one. A remote user can send a specially crafted API request with a known private or hidden group name to disclose sensitive information.
The issue can expose the identities of members of private or hidden groups.