Improper access control in Discourse - CVE-2026-45780
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in private event invitee serialization when rendering event data to users who can view the topic. A remote attacker can view a topic containing a private event to disclose sensitive information.
Exposed information may include invited group names, sample invitees, and attendance statistics for the private event.