Discourse
CVE-2026-33425
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, unauthenticated users can determine whether a specific user is a member of a private group by observing changes in directory results when using the exclude_groups parameter. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable public access to the user directory via Admin → Settings → hide user profiles from public.
AnalysisAI
An information disclosure vulnerability in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows unauthenticated attackers to enumerate private group membership by observing directory result changes when manipulating the exclude_groups parameter. This enables attackers to determine whether specific users are members of private groups without authentication, representing a direct privacy violation. The vulnerability does not appear to be actively exploited in the wild (no KEV status indicated), but patches are available from the vendor.
Technical ContextAI
The vulnerability stems from CWE-203 (Observable Discrepancy), a classic information disclosure weakness where the application leaks sensitive data through observable behavioral differences. Discourse's user directory functionality, specifically the exclude_groups filtering parameter, fails to enforce proper access controls or sanitize response differences for unauthenticated requests. When an unauthenticated user queries the directory with exclude_groups parameters targeting private groups, the platform returns different result sets depending on group membership status, allowing an attacker to infer membership by comparing responses. The affected product is Discourse (cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*), an open-source discussion platform written in Ruby on Rails that manages user directories and group memberships.
RemediationAI
Upgrade Discourse immediately to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 or later, depending on your release branch (see vendor advisory at https://github.com/discourse/discourse/security/advisories/GHSA-r6rh-xvf5-r5f2). As an interim workaround if immediate patching is not feasible, disable public access to the user directory by navigating to Admin → Settings → hide user profiles from public. This prevents unauthenticated users from querying the directory entirely, eliminating the attack vector while patches are staged for deployment. Additionally, review group visibility settings and audit which groups are configured as private to minimize exposure.
Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun
Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated
Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi
Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r
Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is
Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici
Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and
Same weakness CWE-203 – Observable Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today