Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H maps the CVSS 4.0 AT:P precondition; PR:N because no auth needed once conditions exist; C:L for tag-name-only disclosure with no integrity or availability impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allowed_tag_groups, or required tag groups could leak to anonymous and unauthorized users through category and group endpoints. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
AnalysisAI
Restricted tag and tag-group name disclosure in Discourse exposes internal taxonomy metadata to anonymous and unauthorized users via the category and group API endpoints. All Discourse versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 are affected when restricted tags or tag groups are configured on publicly readable categories. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Discourse instance has at least one restricted tag or restricted tag group assigned as allowed_tags, allowed_tag_groups, or a required tag group on a publicly readable category. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 (Medium) accurately reflects the limited blast radius: AV:N/AC:L/PR:N/UI:N indicate the endpoint is trivially reachable by any unauthenticated actor, but AT:P confirms that exploitation is gated on a specific administrator-configured precondition (restricted tags attached to public categories). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a standard HTTP GET request to a public Discourse forum's /categories.json or equivalent group endpoint. The JSON response includes the names of restricted tags and tag groups attached to publicly readable categories, which the attacker records for organizational intelligence gathering or targeted social engineering. … |
| Remediation | Upgrade Discourse to one of the patched releases: v2026.6.0, v2026.5.1, v2026.4.2, or v2026.1.5, as documented in the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-mwp7-572g-6qpx. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun
Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated
Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi
Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r
Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is
Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is
Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici
Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42730