CVE-2026-33410

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2

Description Discourse, an open-source discussion platform, has authorization issues within its chat direct message API. Specifically, the target groups parameter, when used for creating or modifying direct message channels, was not properly validated to ensure the acting user had visibility into the specified groups. This allowed an authenticated user to potentially access information about members of private or hidden groups by crafting a specific API request. Additionally, the can chat? function only verified group membership and did not consider the chat enabled user preference, enabling chat-disabled users to create or query direct message channels and potentially view private last message content. The API endpoints involved are those used for creating and managing direct message channels. The vulnerable parameter is target groups.

Recommendations Update Discourse to version 2026.3.0-latest.1 or later. Update Discourse to version 2026.2.1 or later. Update Discourse to version 2026.1.2 or later.