Skip to main content

Discourse EUVD-2026-36561

| CVE-2026-47264 MEDIUM
Information Exposure (CWE-200)
2026-06-12 GitHub_M
Information Disclosure Discourse
5.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Endpoint is network-accessible without authentication (AV:N/PR:N), attack is straightforward once the site setting is enabled (AC:L), and impact is limited to disclosure of tag group names only (C:L/I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 22:01 EUVD
Analysis Generated
Jun 12, 2026 - 21:30 vuln.today

DescriptionCVE.org

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, DetailedTagSerializer#tag_group_names returned every tag group a tag belonged to without filtering against the requesting user's visibility. With SiteSetting.tags_listed_by_group enabled, anonymous and unprivileged users hitting TagsController#info (which is exempt from requires_login) could read the names of tag groups restricted to specific user groups or non-visible categories. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

AnalysisAI

Tag group name disclosure in Discourse exposes restricted organizational metadata to anonymous and unprivileged users via a serializer that omits visibility filtering. Affected release lines are 2026.1.x (before 2026.1.4), 2026.3.x (before 2026.3.1), and 2026.4.x (before 2026.4.1), with the root cause being that DetailedTagSerializer#tag_group_names returned all group memberships without consulting the requesting user's permissions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Discourse instance with tags endpoint accessible
Delivery
Confirm tags_listed_by_group is enabled via response structure
Exploit
Send unauthenticated GET to TagsController#info
Execution
Parse unfiltered tag group names from response
Impact
Enumerate restricted group and category names
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Discourse instance has SiteSetting.tags_listed_by_group explicitly enabled in its site configuration - this is a non-default administrative option that must be turned on intentionally. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N accurately reflects network reachability and zero authentication requirements, but the real-world risk is substantially lower than the CVSS score might imply in isolation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends an HTTP GET request to the /tags/[tagname] or equivalent TagsController#info endpoint of a Discourse instance where tags_listed_by_group is enabled, and receives a JSON response containing tag group names that the administrator intended to restrict to privileged user groups. By iterating over known or guessed tag names, the attacker builds a map of restricted category and group names - for example, confirming the existence of a 'staff-only' or 'security-team' group - without ever authenticating. …
Remediation The primary remediation is to upgrade Discourse to a patched release: 2026.1.4 for the 2026.1.x branch, 2026.3.1 for the 2026.3.x branch, 2026.4.1 for the 2026.4.x branch, or 2026.5.0-latest.1 for the latest stable channel. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-44786 HIGH
7.5 Jun 12

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
CVE-2026-45775 MEDIUM
6.8 Jun 12

Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
CVE-2026-44784 MEDIUM
6.5 Jun 12

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
CVE-2026-44783 MEDIUM
5.4 Jun 12

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
CVE-2026-45085 MEDIUM
5.3 Jun 12

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both

Share

EUVD-2026-36561 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy