PT-2026-26543 · Discourse · Discourse

Jomaxro

Published

2026-03-20

Updated

2026-03-27

CVE-2026-31869

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2

Description Discourse is an open-source discussion platform. The ComposerController#mentions API endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed names referencing a hidden-membership group and probing arbitrary usernames, an attacker can infer membership based on whether user reasons returns "private" for a given user. This bypasses group member-visibility controls.

Recommendations Restrict the messageable policy of any hidden-membership group to staff or group members only, so untrusted users cannot reach the vulnerable code path.

Exploit

Fix

Improper Authorization

Information Disclosure

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-200CWE-639

Related Identifiers

BIT-DISCOURSE-2026-31869

CVE-2026-31869

GHSA-5F9H-VP7V-7VQ5

Affected Products

Discourse

PT-2026-26543 · Discourse · Discourse

CVE-2026-31869

Weakness Enumeration

Related Identifiers

Affected Products

References · 7