Discourse
CVE-2026-33424
MEDIUM
Severity by source
AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
AnalysisAI
Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain an access control bypass vulnerability where attackers can grant invites to private message topics even after losing direct access to those conversations. This authentication bypass (CWE-863) allows unauthorized lateral privilege escalation within discussion communities. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | The CVSS 3.1 score of 5.9 reflects a medium-severity vulnerability with specific contextual constraints: Attack Vector Adjacent (AV:A) limits exposure to local network segments, Attack Complexity High (AC:H) and User Interaction Required (UI:R) further reduce real-world exploitability, and Privileges High (PR:H) require the attacker to be an authenticated, previously-privileged user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An employee granted access to a confidential PM thread containing acquisition discussions is removed from the project due to reorganization. Before their access is revoked in Discourse, they preemptively send PM invites to external collaborators or competitors. … |
| Remediation | Upgrade Discourse immediately to version 2026.1.2, 2026.2.1, or 2026.3.0-latest.1 or any later release, depending on your current branch (see GitHub security advisory at https://github.com/discourse/discourse/security/advisories/GHSA-hgcp-p7hq-cwxw). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both
Share
External POC / Exploit Code
Leaving vuln.today