Missing Authorization in Discourse - CVE-2026-33514
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the form template API when handling requests for form templates. A remote user can send a request to read the name and structured content of form templates to disclose sensitive information.
Only instances with the form templates feature enabled are vulnerable.