Improper Authorization in Discourse - CVE-2026-33408
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper authorization in the "Post Edits" report for moderators when viewing post edit history. A remote privileged user can access the first 40 characters of post edits in private messages and private categories to disclose sensitive information.
The issue is limited to the first 40 characters of edited content.