Improper access control in Discourse - CVE-2026-32951
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in Oneboxer.local_topic when handling an inline onebox request with a user-controlled category_id parameter. A remote user can send a specially crafted inline onebox request to disclose sensitive information.
Only shared draft topic titles are exposed; post content is not disclosed.