Improper access control in Discourse - CVE-2026-49256
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in category and group endpoints when exposing category serializer data for publicly readable categories with restricted tag groups attached as allowed_tags, allowed_tag_groups, or required tag groups. A remote attacker can access those endpoints to disclose sensitive information.
Only sites that use tag group restrictions and attach those restricted tags or tag groups to publicly readable categories are affected.