PT-2026-5211 · Discourse · Discourse
Davidtaylorhq
·
Published
2026-01-28
·
Updated
2026-01-31
·
CVE-2026-23743
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.5.4
Discourse versions prior to 2025.11.2
Discourse versions prior to 2025.12.1
Discourse versions prior to 2026.1.0
Description
Discourse is an open source discussion platform. Permalinks to access-restricted resources, such as private topics, categories, posts, or hidden tags, were redirecting users to URLs that revealed the resource slug, even when the user lacked the necessary permissions. This resulted in the leakage of potentially sensitive information, including private topic titles, through the redirect Location header and the search box on the 404 page.
Recommendations
Update Discourse to version 3.5.4 or later.
Update Discourse to version 2025.11.2 or later.
Update Discourse to version 2025.12.1 or later.
Update Discourse to version 2026.1.0 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse