EUVD-2026-17574Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
AnalysisAI
Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0-beta allow authenticated moderators to bypass category permission controls and retrieve post content, topic titles, and usernames from categories they lack authorization to access via a sentiment analytics endpoint. Patches are available (2026.1.3, 2026.2.2, 2026.3.0); no public exploit code or active exploitation has been identified.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | CVSS 5.1 with vector AV:N/AC:L/PR:H/UI:N indicates a low-severity issue from the base score perspective: remote network access with low complexity, but requiring high-privilege (moderator) authentication-reducing the threat actor pool significantly. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious insider with moderator privileges on a Discourse instance could repeatedly call the unprotected sentiment analytics endpoint, iterating through category identifiers to harvest restricted post content, topic titles, and usernames from categories they were never granted access to view. Because the attack requires no user interaction (UI:N) and uses standard network access, an attacker could automate this data exfiltration in minutes. |
| Remediation | Upgrade immediately to patched versions: Discourse 2026.1.3 or later for the 2026.1.x branch, 2026.2.2 or later for the 2026.2.x branch, or 2026.3.0 final release for the 2026.3.x branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both
Share
External POC / Exploit Code
Leaving vuln.today