EUVD-2026-13496Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hidden-membership group and probing arbitrary usernames, an attacker can infer membership based on whether user_reasons returns "private" for a given user. This bypasses group member-visibility controls. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. To work around this issue, restrict the messageable policy of any hidden-membership group to staff or group members only, so untrusted users cannot reach the vulnerable code path.
AnalysisAI
Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contains an information disclosure vulnerability in the ComposerController#mentions endpoint that reveals hidden group membership to any authenticated user capable of messaging the group. An attacker can exploit this by supplying hidden-membership group names and probing arbitrary usernames to infer membership based on whether the user_reasons field returns 'private', effectively bypassing group member-visibility controls designed to protect sensitive group information. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | The CVSS 4.0 score of 5.3 reflects a low-impact information disclosure (Confidentiality: Low) with network accessibility and low attack complexity, but critically requires prior authentication (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user on a Discourse instance with basic messaging permissions targets a hidden-membership security team group. The attacker uses the ComposerController#mentions endpoint with the group name and iteratively probes a list of employee usernames, observing that certain usernames return 'private' in the user_reasons field while others do not. … |
| Remediation | Immediately upgrade Discourse to version 2026.1.2, 2026.2.1, or 2026.3.0-latest.1 or later, depending on your current minor version—see https://github.com/discourse/discourse/security/advisories/GHSA-5f9h-vp7v-7vq5 for version-specific guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both
Share
External POC / Exploit Code
Leaving vuln.today