Discourse

Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an authorization bypass that allows authenticated users to escalate ordinary topics to site-wide notices or banners by manipulating request parameters, circumventing administrative controls. This vulnerability affects any Discourse instance where regular users should not have the ability to create global announcements. No patch is currently available, and administrators should review recent banner and notice changes for unauthorized modifications until updating.

The Data Explorer plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to properly enforce access controls, allowing any authenticated user to execute arbitrary SQL queries against unprotected queries, including system-level queries. This affects all installations with the Data Explorer plugin enabled and permits authenticated attackers to access or modify sensitive data without proper authorization. No patch is currently available, though administrators can mitigate the issue by explicitly setting group permissions on queries or disabling the plugin.

Stored cross-site scripting in Discourse allows attackers to inject malicious HTML through user full names when specific display settings are enabled, which executes in the browsers of users viewing or editing affected posts. The vulnerability requires the `display_name_on_posts` setting to be true and `prioritize_username_in_ux` to be false, potentially affecting installations with these configurations. No patch is currently available, and users should disable the vulnerable display settings or upgrade to patched versions 2025.12.2, 2026.1.1, or 2026.2.0.

Discourse's posts_nearby function fails to properly filter whispered posts based on user permissions, allowing authenticated users with high privileges to view confidential whispers intended only for specific recipients. The vulnerability stems from inadequate post-type filtering that bypasses guardian-based access controls. No patch is currently available for affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0.

SQL injection in Discourse's private message tag filtering allows authenticated users to bypass tag restrictions and read unauthorized private message metadata. Affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 expose sensitive conversation information to users who should not have access. No patch workaround exists for unpatched installations.

The Discourse poll plugin voters endpoint fails to validate post visibility permissions, enabling unauthenticated attackers to enumerate poll voter details across any post in affected instances. This information disclosure affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, with no workaround available until patching. No patch is currently available for earlier versions.

Insecure Direct Object References in Discourse ReviewableNotesController allow category moderation group members to create or delete notes on any reviewable in the system regardless of moderation scope when category group moderation is enabled. This authorization bypass affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, enabling users to manipulate moderation records outside their assigned categories. No patch is currently available.

Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an insecure direct object reference (IDOR) in the directory items endpoint that allows unauthenticated attackers to retrieve private user field values for all directory users. The vulnerability stems from missing authorization checks on the user_field_ids parameter, enabling bulk exfiltration of sensitive user data that should be restricted by visibility settings. No patch is currently available for affected deployments.

The discourse-policy plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to verify user permissions when processing policy actions, allowing authenticated users to accept or reject policies on posts they cannot access in private categories or private messages. Attackers can exploit this authorization bypass to manipulate policies on restricted content and enumerate post IDs with policies through error message differences. The vulnerability requires authentication but affects the confidentiality and integrity of policy-protected discussions.

Discourse instances with an unconfigured patreon_webhook_secret allow remote attackers to forge valid webhook signatures using an empty HMAC-MD5 key, enabling arbitrary creation, modification, or deletion of Patreon pledge data and unauthorized patron synchronization. The vulnerability affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, and currently lacks an available patch. Administrators must explicitly configure the patreon_webhook_secret setting or upgrade to patched versions to mitigate this integrity attack.

Unauthenticated attackers can submit forged webhook payloads to multiple email provider integrations in Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 when authentication tokens are not configured, allowing them to artificially inflate user bounce scores and disable legitimate user accounts. The vulnerability affects webhook endpoints for SendGrid, Mailjet, Mandrill, Postmark, and SparkPost, with Mailpace having no token validation whatsoever. Administrators should immediately configure webhook authentication tokens for all email provider integrations as a workaround until patching is available.

Discourse versions before 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allow non-admin moderators to access restricted staff action logs containing sensitive data such as webhook secrets, API keys, private messages, and restricted category information. An attacker with moderator privileges could extract confidential information and use leaked webhook credentials to spoof events to integrated services. No patch is currently available for this access control bypass.

Discourse is an open source discussion platform. [CVSS 7.5 HIGH]

Discourse versions before 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allow moderators with insufficient permissions to convert private messages into public topics, potentially exposing sensitive user communications. The vulnerability affects any Discourse instance where untrusted moderators have access to moderation features. Site administrators can mitigate this by temporarily removing moderator privileges or disabling personal message access for moderator groups until patching to a fixed version.

Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. [CVSS 5.4 MEDIUM]

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. [CVSS 6.5 MEDIUM]

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not f...

Discourse is an open source discussion platform. [CVSS 6.9 MEDIUM]

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. [CVSS 6.5 MEDIUM]

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. [CVSS 7.6 HIGH]

Discourse is an open source discussion platform. [CVSS 5.4 MEDIUM]

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is pat...

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. [CVSS 7.1 HIGH]

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. [CVSS 4.6 MEDIUM]

Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. [CVSS 4.6 MEDIUM]

Discourse is an open-source community discussion platform. In versions 3.5.0 and below, malicious meta-commands could be embedded in a backup dump and executed during restore. In multisite setups, this allowed an admin of one site to access data or credentials from other sites. This issue is fixed in version 3.5.1.

Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings.

Discourse is an open-source discussion platform. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Discourse versions prior to 3.4.6 (stable) and 3.5.0.beta8-dev (tests-passed) contain an information disclosure vulnerability where users retain visibility of their own whisper-typed posts even after losing group membership that should restrict access to whispers. This is a logic flaw in the whisper visibility enforcement mechanism (CWE-200: Information Exposure) affecting unauthenticated network access with high confidentiality impact. No public exploitation has been reported, but the issue is easily discoverable through normal platform usage.

Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login functionality that is only exploitable when Content Security Policy (CSP) is disabled. An unauthenticated attacker can craft a malicious link leveraging social authentication endpoints to inject arbitrary JavaScript, potentially stealing session tokens, credentials, or performing actions on behalf of the victim. The vulnerability requires user interaction (clicking a malicious link) but has high impact on confidentiality and integrity with no availability impact.

Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vulnerability where Codepen is included in the default `allowed_iframes` site setting and can auto-execute arbitrary JavaScript within the iframe scope, enabling unauthenticated remote code execution. With a CVSS score of 9.8 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability poses severe risk to all default Discourse installations and should be prioritized for immediate patching.

A remote code execution vulnerability in Discourse (CVSS 7.1). High severity vulnerability requiring prompt remediation.

Denial-of-service vulnerability in Discourse that allows unauthenticated remote attackers to reduce the availability of a Discourse instance by sending malicious URLs in private messages to bot users. The vulnerability affects Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed), with a CVSS 7.5 rating indicating high severity. No known public exploits or workarounds are currently available, but patches have been released.

Discourse is an open-source community platform. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Discourse is an open-source discussion platform. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity.

Discourse is an open-source discussion platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Discourse is an open-source discussion platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Discourse is an open source platform for community discussion. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Discourse is an open source platform for community discussion. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.

Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Discourse is a platform for community discussion. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.