Improper access control in Discourse - CVE-2026-33424
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote privileged user to disclose sensitive information and modify access to a private message topic.
The vulnerability exists due to improper access control in the private message invite mechanism when handling invites after access to the private message has been revoked. A remote privileged user can send an invite to grant access to the private message topic to disclose sensitive information and modify access to a private message topic.
User interaction is required to accept the invite.