Observable discrepancy in Discourse - CVE-2026-33425
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to infer private group membership or group existence.
The vulnerability exists due to observable discrepancy in the user directory exclude_groups parameter handling when processing directory requests with user-supplied exclude_groups values. A remote attacker can send crafted requests with the exclude_groups parameter and observe changes in directory results to infer private group membership or group existence.