Authorization bypass through user-controlled key in Discourse - CVE-2026-31869
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper authorization in ComposerController#mentions when handling requests with user-supplied allowed_names values. A remote user can supply a crafted allowed_names parameter and probe usernames to disclose sensitive information.
The issue allows inference of hidden group membership based on whether user_reasons returns "private" for a given user.