CVE-2026-26265
Received Received - Intake
IDOR in Discourse Directory Allows Bulk Private Data Exposure

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_field_ids` parameter in `DirectoryItemsController#index` accepts arbitrary user field IDs without authorization checks, bypassing the visibility restrictions (`show_on_profile` / `show_on_user_card`) that are enforced elsewhere (e.g., `UserCardSerializer` via `Guardian#allowed_user_field_ids`). An attacker can request `GET /directory_items.json?period=all&user_field_ids=<id>` with any private field ID and receive that field's value for every user in the directory response. This enables bulk exfiltration of private user data such as phone numbers, addresses, or other sensitive custom fields that admins have explicitly configured as non-public. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As a workaround, site administrators can remove sensitive data from private user fields, or disable the user directory via the `enable_user_directory` site setting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26265
EUVD
EUVD-2026-8859
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
discourse discourse to 2025.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-26265 is an Insecure Direct Object Reference (IDOR) vulnerability in the Discourse platform's directory items endpoint."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the `user_field_ids` parameter in the `DirectoryItemsController#index` endpoint accepts arbitrary user field IDs without performing authorization checks, bypassing visibility restrictions that are normally enforced.'}, {'type': 'paragraph', 'content': 'This allows any user, including anonymous users, to send a GET request with any private field ID and retrieve private user field values for all users in the directory.'}, {'type': 'paragraph', 'content': 'As a result, sensitive private user data such as phone numbers, addresses, or other custom fields configured as non-public can be bulk exfiltrated.'}, {'type': 'paragraph', 'content': 'The issue is fixed in Discourse versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering the `user_field_ids` parameter against public fields for non-staff users before building the custom field map.'}, {'type': 'paragraph', 'content': 'Workarounds include removing sensitive data from private user fields or disabling the user directory feature.'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive private user data.

Any user, including anonymous users, can retrieve private information such as phone numbers, addresses, and other sensitive custom fields for all users in the directory.

This bulk exfiltration of private data can compromise user privacy and potentially expose the organization to reputational damage and legal consequences.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized GET requests to the Discourse directory items endpoint that include the user_field_ids parameter with arbitrary or suspicious values.'}, {'type': 'paragraph', 'content': 'For example, you can look for HTTP GET requests matching the pattern: /directory_items.json?period=all&user_field_ids=<id> where <id> is any user field ID.'}, {'type': 'paragraph', 'content': 'A simple command to detect such requests in web server logs might be:'}, {'type': 'list_item', 'content': 'grep "/directory_items.json?period=all&user_field_ids=" /path/to/access.log'}, {'type': 'paragraph', 'content': 'Additionally, network monitoring tools or intrusion detection systems can be configured to alert on such patterns to identify potential exploitation attempts.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Discourse to a patched version: 2025.12.2, 2026.1.1, or 2026.2.0 or later.
  • As a temporary workaround, remove sensitive data from private user fields to prevent exposure.
  • Alternatively, disable the user directory feature by setting the site setting `enable_user_directory` to false.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart