Improper access control in Discourse - CVE-2026-33422
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the review queue when displaying details of flagged users. A remote user can access the review queue to view the exposed ip_address of a flagged user and disclose sensitive information.
User interaction is required to access the review queue.