Information disclosure in Discourse - CVE-2026-33394

 

Information disclosure in Discourse - CVE-2026-33394

Published: July 1, 2026


Vulnerability identifier: #VU136130
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33394
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the Post Edits admin report (/admin/reports/post_edits) when displaying post edit data. A remote privileged user can view the report to disclose sensitive information.

The issue exposed the first 40 characters of raw post content from private messages and secure categories to moderators without access to that content.


How to mitigate CVE-2026-33394

Install security update from vendor's website.

Sources