Information disclosure in Discourse - CVE-2026-33355
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the /private-posts endpoint when handling requests for private message topics. A remote user can request the private-posts feed for a PM topic they can access to disclose sensitive information.
Only regular PM participants could view whisper posts in PM topics they already had access to.