Improper access control in Discourse - CVE-2026-32618
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in chat user search when processing the excluded_memberships_channel_id parameter. A remote user can query chat user search with a crafted excluded_memberships_channel_id value to disclose sensitive information.