CVE-2026-32143
CSV Export Authorization Bypass in Discourse Moderators Leads to Data Exposure
Publication date: 2026-03-31
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | 2026.3.0 |
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.3 (exc) |
| discourse | discourse | From 2026.2.0 (inc) to 2026.2.2 (exc) |
| discourse | discourse | 2026.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows moderators to export sensitive operational data from admin-restricted reports, bypassing visibility restrictions intended to protect confidential information.
Exposure of such sensitive data could potentially lead to non-compliance with data protection standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.
By allowing unauthorized access to admin-only reports, the vulnerability undermines role-based access controls that are critical for maintaining compliance with these regulations.
The issue has been patched in later versions, and upgrading to these versions is recommended to restore proper access controls and help maintain compliance.
Can you explain this vulnerability to me?
CVE-2026-32143 is a vulnerability in the Discourse open-source discussion platform that affects certain versions before they were patched. It allows moderators to export CSV data from reports that should only be visible to administrators. This means moderators could bypass the intended visibility restrictions and access sensitive operational data that is meant to be restricted to admins only.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive operational data within the Discourse platform. Moderators, who normally have limited permissions, could export admin-only reports and gain access to confidential information. This exposure could compromise the confidentiality of internal data and potentially lead to misuse or leakage of sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves moderators being able to export admin-only reports via the CSV export functionality, bypassing visibility restrictions.
Detection would involve monitoring or testing whether moderators can export restricted reports such as "top_uploads" through the export CSV endpoint.
There are no specific commands provided in the available resources to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade Discourse to one of the patched versions: 2026.1.3, 2026.2.2, or 2026.3.0.
This update enforces proper permission checks preventing moderators from exporting admin-only reports.