Skip to main content

Discourse EUVDEUVD-2026-42730

| CVE-2026-49256 MEDIUM
Information Exposure (CWE-200)
2026-07-09 security-advisories@github.com
6.3
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

AC:H maps the CVSS 4.0 AT:P precondition; PR:N because no auth needed once conditions exist; C:L for tag-name-only disclosure with no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Generated
Jul 09, 2026 - 22:43 vuln.today

DescriptionCVE.org

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allowed_tag_groups, or required tag groups could leak to anonymous and unauthorized users through category and group endpoints. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

AnalysisAI

Restricted tag and tag-group name disclosure in Discourse exposes internal taxonomy metadata to anonymous and unauthorized users via the category and group API endpoints. All Discourse versions prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 are affected when restricted tags or tag groups are configured on publicly readable categories. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify public Discourse instance
Delivery
Query /categories.json or group endpoint unauthenticated
Exploit
Parse JSON response for tag and tag-group fields
Execution
Extract restricted tag and tag-group names
Impact
Record organizational metadata for reconnaissance

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Discourse instance has at least one restricted tag or restricted tag group assigned as allowed_tags, allowed_tag_groups, or a required tag group on a publicly readable category. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 (Medium) accurately reflects the limited blast radius: AV:N/AC:L/PR:N/UI:N indicate the endpoint is trivially reachable by any unauthenticated actor, but AT:P confirms that exploitation is gated on a specific administrator-configured precondition (restricted tags attached to public categories). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a standard HTTP GET request to a public Discourse forum's /categories.json or equivalent group endpoint. The JSON response includes the names of restricted tags and tag groups attached to publicly readable categories, which the attacker records for organizational intelligence gathering or targeted social engineering. …
Remediation Upgrade Discourse to one of the patched releases: v2026.6.0, v2026.5.1, v2026.4.2, or v2026.1.5, as documented in the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-mwp7-572g-6qpx. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-48954 HIGH POC
8.1 Jun 25

Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun

CVE-2024-47773 HIGH POC
8.2 Oct 08

Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem

CVE-2021-3138 HIGH POC
7.5 Jan 14

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated

CVE-2023-38706 MEDIUM POC
6.5 Sep 15

Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2024-53991 MEDIUM POC
5.9 Dec 19

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r

CVE-2025-48877 CRITICAL
9.8 Jun 09

Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu

CVE-2023-47121 CRITICAL
9.8 Nov 10

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-41163 CRITICAL
9.8 Oct 20

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2024-49765 CRITICAL
9.1 Dec 19

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2026-53963 CRITICAL
9.0 Jul 09

Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici

CVE-2022-39356 HIGH
8.8 Nov 02

Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2026-27934 HIGH
8.7 Mar 19

Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and

Share

EUVD-2026-42730 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy