Skip to main content

Discourse EUVDEUVD-2026-42740

| CVE-2026-45780 MEDIUM
Information Exposure (CWE-200)
2026-07-09 security-advisories@github.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Any user with topic-read access triggers disclosure over the network with no authentication; impact is limited to low confidentiality with no integrity or availability consequences.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 20:52 NVD
5.3 (MEDIUM) 4.3 (MEDIUM)
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Generated
Jul 09, 2026 - 22:40 vuln.today

DescriptionNVD

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

AnalysisAI

EventSerializer in Discourse improperly exposes private event invitation metadata - including invited group names, sample invitee usernames, and attendance statistics - to any user who can view the topic, regardless of their authorization to access the private invitee list. All Discourse installations prior to versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5 are affected when event functionality is in use. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access Discourse topic URL with private event
Delivery
Fetch topic JSON response via browser or API
Exploit
EventSerializer returns uninspected private metadata
Execution
Extract invited group names and sample invitee usernames
Impact
Use membership data for reconnaissance or social engineering

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Discourse installation has event functionality enabled and that at least one topic contains a private event with a configured invitee list. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N accurately reflects the risk profile: trivial access conditions (no authentication, no complexity, no user interaction) but bounded low-confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated visitor or low-privilege member on an open Discourse forum navigates to a topic containing a private event and retrieves the topic's JSON payload - either via the standard Discourse API endpoint or by inspecting browser network traffic. The EventSerializer returns the full private invitation metadata, including invited group names, a sample of invitee usernames, and attendance counts, without any authorization check. …
Remediation Upgrade Discourse to one of the patched releases: v2026.6.0 (stable), v2026.5.1 (beta), v2026.4.2 (beta), or v2026.1.5 (LTS), available at the respective GitHub release tags referenced in the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-48954 HIGH POC
8.1 Jun 25

Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun

CVE-2024-47773 HIGH POC
8.2 Oct 08

Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem

CVE-2021-3138 HIGH POC
7.5 Jan 14

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated

CVE-2023-38706 MEDIUM POC
6.5 Sep 15

Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2024-53991 MEDIUM POC
5.9 Dec 19

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r

CVE-2025-48877 CRITICAL
9.8 Jun 09

Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu

CVE-2023-47121 CRITICAL
9.8 Nov 10

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-41163 CRITICAL
9.8 Oct 20

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2024-49765 CRITICAL
9.1 Dec 19

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2026-53963 CRITICAL
9.0 Jul 09

Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici

CVE-2022-39356 HIGH
8.8 Nov 02

Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2026-27934 HIGH
8.7 Mar 19

Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and

Share

EUVD-2026-42740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy