Improper access control in Discourse - CVE-2026-44785

 

Improper access control in Discourse - CVE-2026-44785

Published: July 1, 2026


Vulnerability identifier: #VU136584
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-44785
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the AI "explain" helper when explaining a reply to a hidden parent post. A remote user can invoke the "Explain" feature on the reply to disclose sensitive information.

Only authenticated users with access to the AI helper feature are able to exploit this issue.


How to mitigate CVE-2026-44785

Install security update from vendor's website.

Sources