CVE-2026-32143
Received Received - Intake
CSV Export Authorization Bypass in Discourse Moderators Leads to Data Exposure

Publication date: 2026-03-31

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for admins. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32143
EUVD
EUVD-2026-17548
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
discourse discourse 2026.3.0
discourse discourse From 2026.1.0 (inc) to 2026.1.3 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.2 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32143 is a vulnerability in the Discourse open-source discussion platform that affects certain versions before they were patched. It allows moderators to export CSV data from reports that should only be visible to administrators. This means moderators could bypass the intended visibility restrictions and access sensitive operational data that is meant to be restricted to admins only.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive operational data within the Discourse platform. Moderators, who normally have limited permissions, could export admin-only reports and gain access to confidential information. This exposure could compromise the confidentiality of internal data and potentially lead to misuse or leakage of sensitive information.

Detection Guidance

This vulnerability involves moderators being able to export admin-only reports via the CSV export functionality, bypassing visibility restrictions.

Detection would involve monitoring or testing whether moderators can export restricted reports such as "top_uploads" through the export CSV endpoint.

There are no specific commands provided in the available resources to detect this vulnerability on your network or system.

Mitigation Strategies

The recommended immediate mitigation is to upgrade Discourse to one of the patched versions: 2026.1.3, 2026.2.2, or 2026.3.0.

This update enforces proper permission checks preventing moderators from exporting admin-only reports.

Compliance Impact

This vulnerability allows moderators to export sensitive operational data from admin-restricted reports, bypassing visibility restrictions intended to protect confidential information.

Exposure of such sensitive data could potentially lead to non-compliance with data protection standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.

By allowing unauthorized access to admin-only reports, the vulnerability undermines role-based access controls that are critical for maintaining compliance with these regulations.

The issue has been patched in later versions, and upgrading to these versions is recommended to restore proper access controls and help maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32143. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart