CVE-2026-44782

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared include user long name? as the predicate for its :name attribute, but AMS looks for include name?. The misnamed predicate was never called, so object.user.name was always serialized regardless of SiteSetting.enable names. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.