Skip to main content

Discourse EUVD-2026-36582

| CVE-2026-44786 HIGH
Information Exposure (CWE-200)
2026-06-12 GitHub_M
Information Disclosure Discourse
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.3 MEDIUM

Realistic attacker is an authenticated forum user subscribing to MessageBus (PR:L), and only public-category chat content leaks, so confidentiality impact is limited (C:L), with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 22:01 EUVD
Analysis Generated
Jun 12, 2026 - 21:23 vuln.today

DescriptionCVE.org

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

AnalysisAI

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat message payloads from public category channels without proper permission scoping, even when chat is not enabled for that user. The flaw affects versions 2026.1.0 through 2026.1.3, 2026.3.0 through 2026.3.0, and 2026.4.0 through 2026.4.0, and is fixed in 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Discourse MessageBus endpoint
Exploit
Subscribe to public chat event channel
Execution
Receive unscoped chat payloads in real time
Impact
Harvest sensitive message content
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Discourse instance is running an affected version (2026.1.0-2026.1.3, 2026.3.0, or 2026.4.0) with the chat feature enabled and at least one public category chat channel in active use; the attacker must be able to reach the MessageBus endpoint over the network and subscribe to the unscoped chat event channel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflecting network-reachable, unauthenticated read access to chat content with no integrity or availability impact, which is consistent with the description's information-disclosure nature. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses any account on a Discourse forum that has chat enabled site-wide but disabled for their user, opens a MessageBus long-poll subscription to the public chat event channels, and passively receives chat messages from public category channels in real time as legitimate users send them. Because PR:N and UI:N, an unauthenticated client able to reach MessageBus could likewise subscribe and harvest payloads without any victim interaction.
Remediation Vendor-released patch: upgrade Discourse to 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 as appropriate for your release train, per advisory https://github.com/discourse/discourse/security/advisories/GHSA-j7wq-rf5c-8783. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Discourse deployments and determine which are running versions 2026.1.0-2026.4.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45775 MEDIUM
6.8 Jun 12

Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
CVE-2026-44784 MEDIUM
6.5 Jun 12

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
CVE-2026-44783 MEDIUM
5.4 Jun 12

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
CVE-2026-45085 MEDIUM
5.3 Jun 12

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both
CVE-2026-47264 MEDIUM
5.3 Jun 12

Tag group name disclosure in Discourse exposes restricted organizational metadata to anonymous and unprivileged users vi

Share

EUVD-2026-36582 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy