EUVD-2026-36585Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-reachable API endpoint requires only a valid login (PR:L); confidentiality impact is limited to user real names only, with no integrity or availability consequence.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared include_user_long_name? as the predicate for its :name attribute, but AMS looks for include_name?. The misnamed predicate was never called, so object.user.name was always serialized regardless of SiteSetting.enable_names. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
AnalysisAI
Discourse's GroupPostSerializer leaks user real names to authenticated users even when site administrators have explicitly disabled name display via the enable_names site setting. Affected versions span the 2026.1.x, 2026.3.x, and 2026.4.x release lines. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability requires two conditions to be exploitable in a meaningful way: (1) a valid authenticated session on the Discourse instance - unauthenticated access is not sufficient per the CVSS PR:L metric; and (2) the site administrator must have set SiteSetting.enable_names to false, which is a non-default configuration used by communities that wish to suppress display of user real names. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) is consistent with the nature of the flaw: network-reachable, low complexity, requires a valid session, and produces only a limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Discourse user - even one with minimal trust-level permissions - sends an API or browser request to a group post listing endpoint. The GroupPostSerializer serializes user.name unconditionally due to the misnamed predicate, and the response JSON includes the real names of post authors. … |
| Remediation | Vendor-released patches are available; operators should upgrade to Discourse 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 depending on their tracked release branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa
Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi
Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m
Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte
Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both
Share
External POC / Exploit Code
Leaving vuln.today