Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Patch tests show injection succeeds on unauthenticated signup, so PR:N and AC:L; whisper read access drives C:H with minor I:L and no availability impact.
Primary rating from Vendor (github).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
6DescriptionNVD
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
AnalysisAI
Privilege escalation in Discourse (the open-source discussion platform) lets a newly registered user obtain whisper-group ('whisperer') privileges by supplying a primary_group_id during the signup flow, without ever being a legitimate member of that group. Exploitation only matters on sites that have configured whispers_allowed_groups, and success grants read access to staff-only whisper posts (a confidentiality-focused impact). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target Discourse site to have the whispers_allowed_groups site setting configured - a non-default, opt-in staff feature; without it, injecting primary_group_id grants no whisper privilege and the bug is inert. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and point to a real but moderate-priority issue rather than an emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a Discourse forum that has enabled group-based whispers, an attacker scripts the public registration endpoint and includes primary_group_id set to the ID of a whisper-allowed group in the signup payload. Once the account is created, the attacker is treated as a whisperer and can read (and post) staff-only whisper content that should be hidden from ordinary members. … |
| Remediation | Vendor-released patch: upgrade to Discourse 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5 (whichever matches your release branch), available at https://github.com/discourse/discourse/releases (tags v2026.6.0, v2026.5.1, v2026.4.2, v2026.1.5). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Discourse installations in your environment and confirm which have whispers_allowed_groups enabled, as only those configurations face risk. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun
Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated
Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi
Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r
Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is
Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici
Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42735