Improper Authorization in Discourse - CVE-2026-33408

 

Improper Authorization in Discourse - CVE-2026-33408

Published: July 1, 2026


Vulnerability identifier: #VU136136
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33408
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper authorization in the "Post Edits" report for moderators when viewing post edit history. A remote privileged user can access the first 40 characters of post edits in private messages and private categories to disclose sensitive information.

The issue is limited to the first 40 characters of edited content.


How to mitigate CVE-2026-33408

Install security update from vendor's website.

Sources