Improper access control in Discourse - CVE-2021-43792

 

Improper access control in Discourse - CVE-2021-43792

Published: December 1, 2021 / Updated: July 1, 2026


Vulnerability identifier: #VU136515
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-43792
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in tag group visibility and notification handling when processing notifications for previously watched tags. A remote user can retain access to notifications for restricted tags after group permissions are revoked to disclose sensitive information.

The issue affects deployments using the "Tags are visible only to the following groups" feature, and occurs when a user was previously tracking or watching the restricted tags before losing access.


How to mitigate CVE-2021-43792

Install security update from vendor's website.

Sources