CVE-2026-26265

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2025.12.2 Discourse versions prior to 2026.1.1 Discourse versions prior to 2026.2.0

Description Discourse is an open source discussion platform. An IDOR vulnerability exists in the directory items endpoint, allowing unauthorized access to private user field values for all users in the directory. The user field ids parameter within the DirectoryItemsController#index function does not enforce proper authorization checks, bypassing visibility restrictions. This allows an attacker to request data using the API endpoint /directory items.json with the user field ids parameter and retrieve sensitive information, such as phone numbers and addresses, for all users. The issue is addressed by filtering user field ids against UserField.public fields for non-staff users.

Recommendations Update Discourse to version 2025.12.2 or later. Update Discourse to version 2026.1.1 or later. Update Discourse to version 2026.2.0 or later. As a workaround, site administrators can remove sensitive data from private user fields. As a workaround, site administrators can disable the user directory via the enable user directory site setting.