Improper access control in Discourse - CVE-2026-49256

 

Improper access control in Discourse - CVE-2026-49256

Published: July 1, 2026


Vulnerability identifier: #VU136593
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-49256
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in category and group endpoints when exposing category serializer data for publicly readable categories with restricted tag groups attached as allowed_tags, allowed_tag_groups, or required tag groups. A remote attacker can access those endpoints to disclose sensitive information.

Only sites that use tag group restrictions and attach those restricted tags or tag groups to publicly readable categories are affected.


How to mitigate CVE-2026-49256

Install security update from vendor's website.

Sources