Improper access control in Discourse - #VU136597

 

Improper access control in Discourse - #VU136597

Published: July 1, 2026


Vulnerability identifier: #VU136597
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in post revision diffs when viewing visible diffs on adjacent revisions. A remote attacker can access adjacent visible diffs to disclose sensitive information.

Hidden post revisions intended to be unavailable to regular users may be exposed through revision comparisons.


Remediation

Install security update from vendor's website.

Sources