EUVD-2026-36558Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
PR:N captures the anonymous calendar disclosure vector; I:L added because read-only users can create threads and authors can restore deleted messages, impacts the published vector omits.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin (one also involving discourse-calendar): read-only category users could create chat threads, self-deleted chat messages could be restored by their author after channel access was revoked, moderators reviewing a flagged chat message were shown the channel's current last_message (often unrelated DM content), and calendar event payloads exposed the attached chat channel and its last message to viewers without chat access (including anonymous users). This affects sites with the chat plugin enabled; the calendar issue additionally requires discourse-calendar. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
AnalysisAI
Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both information disclosure and unauthorized write actions: calendar event API payloads expose the associated chat channel's last message - potentially a private DM - to unauthenticated users, while separate flaws allow read-only users to create chat threads, authors to restore their own deleted messages after losing channel access, and moderators reviewing flagged messages to inadvertently view unrelated DM content. Vendor-released patches exist for all supported branches; no public exploit identified at time of analysis and EPSS is 0.04% (11th percentile), but the unauthenticated DM disclosure warrants prompt patching on public-facing instances.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The unauthenticated disclosure requires: both the chat plugin and discourse-calendar plugin enabled on the target instance, at least one calendar event linked to a chat channel, and that channel having a non-empty last_message value - no authentication or elevated privilege is required beyond the ability to view the calendar event. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N scores 5.3 (Medium), but the PR:N and I:N assignments merit scrutiny: PR:N correctly reflects the worst-case unauthenticated calendar disclosure, yet three of the four sub-issues require an authenticated session (read-only user, message author, or moderator), and at least two produce integrity-class impacts (thread creation, message restoration) that the published I:N does not capture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An anonymous visitor to a Discourse community that has both the chat and discourse-calendar plugins enabled requests a calendar event page whose event is linked to an active chat channel; the API response serializes that channel's last_message field, exposing private DM content to the unauthenticated visitor without any special tooling or prior access. In a separate scenario, a forum member with only read-only access to a restricted category sends a crafted API request to the chat thread-creation endpoint, successfully creating a thread despite their designated read-only role. |
| Remediation | Vendor-released patches are available: upgrade Discourse to version 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 as applicable to the installed release branch, per the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-rw8j-p2gv-q33w. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
Tag group name disclosure in Discourse exposes restricted organizational metadata to anonymous and unprivileged users vi
Share
External POC / Exploit Code
Leaving vuln.today