Improper access control in Discourse - CVE-2026-33300
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the Category Chatables Controller show action when handling requests to the `category-chatables` endpoint. A remote user can send a request to obtain hidden group names and user count information to disclose sensitive information.
The issue exposes hidden group metadata to moderators.