CVE-2026-24742

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.5.4 Discourse versions prior to 2025.11.2 Discourse versions prior to 2025.12.1 Discourse versions prior to 2026.1.0

Description Discourse is an open source discussion platform. Non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services.

Recommendations Update to Discourse version 3.5.4 or later. Update to Discourse version 2025.11.2 or later. Update to Discourse version 2025.12.1 or later. Update to Discourse version 2026.1.0 or later. Review and limit moderator appointments to fully trusted users.