CVE-2026-32114

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2

Description Discourse is an open-source discussion platform. Before versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an Insecure Direct Object Reference (IDOR) exists, allowing any authenticated user to access metadata about AI personas, features, and LLM models by providing their identifiers. This information includes credit allocations and usage statistics that are not intended to be public. The attack is conducted over the network, requiring low privileges (any logged-in user), and results in a low impact on confidentiality.

Recommendations Versions prior to 2026.3.0-latest.1: Disable the AI plugin or upgrade to a patched version. Versions prior to 2026.2.1: Disable the AI plugin or upgrade to a patched version. Versions prior to 2026.1.2: Disable the AI plugin or upgrade to a patched version.