CVE-2026-32607
Stored XSS in Discourse Assignment UI via Unescaped Display Names
Publication date: 2026-03-31
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | 2026.3.0 |
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.3 (exc) |
| discourse | discourse | From 2026.2.0 (inc) to 2026.2.2 (exc) |
| discourse | discourse | 2026.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32607 is a stored Cross-Site Scripting (XSS) vulnerability in the Discourse open-source discussion platform. It occurs when the hidden site setting 'prioritize_full_name_in_ux' is enabled, which is off by default and requires console access to activate. Under this condition, user and group display names are rendered without proper HTML escaping in several assignment-related user interface components. This flaw allows users with assign permissions to inject arbitrary HTML or JavaScript code that executes in the browsers of any users viewing the affected topics.
The vulnerability affects multiple UI paths including assignment tags in topic lists, first-post assignment indicators, small action post descriptions, mobile footer buttons, and the topic-level unassign menu. The root cause is that user and group names are inserted into HTML without sanitization, enabling malicious script injection.
This issue has been fixed in Discourse versions 2026.1.3, 2026.2.2, and 2026.3.0 by applying proper HTML escaping to user and group names before rendering.
How can this vulnerability impact me? :
This vulnerability allows an attacker with assign permissions to inject malicious HTML or JavaScript code into the Discourse platform's assignment-related UI components. When other users view the affected topics, the injected code executes in their browsers.
The impact includes potential compromise of confidentiality and integrity of user interactions, such as stealing session information, performing actions on behalf of users, or displaying misleading content. However, it does not affect system availability.
The severity is rated as Low with a CVSS v4 base score of 2.1, requiring low privileges and user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Discourse instance is running a vulnerable version and if the hidden site setting `prioritize_full_name_in_ux` is enabled.
Specifically, verify the Discourse version to see if it falls within the vulnerable ranges: 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, or 2026.3.0-latest to before 2026.3.0.
Also confirm if the `prioritize_full_name_in_ux` setting is enabled, which is disabled by default and requires console access to change.
Since the vulnerability involves stored Cross-Site Scripting (XSS) via user or group display names in assignment-related UI components, you can attempt to detect it by inspecting assignment-related UI elements for unescaped HTML or JavaScript.
There are no specific network or system commands provided in the resources to detect this vulnerability automatically.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to update your Discourse installation to a patched version.
- Upgrade to Discourse version 2026.1.3 or later if you are on the 2026.1.x branch.
- Upgrade to Discourse version 2026.2.2 or later if you are on the 2026.2.x branch.
- Upgrade to Discourse version 2026.3.0 or later if you are on the 2026.3.x branch.
If immediate upgrading is not possible, consider disabling the `prioritize_full_name_in_ux` site setting, which is disabled by default and requires console access to change, to prevent the vulnerability from being exploitable.
Ensure that only trusted users have assign permissions, as the vulnerability requires assign permission to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users with assign permission to inject arbitrary HTML or JavaScript that executes in the browsers of other users viewing affected topics. Such cross-site scripting (XSS) attacks can potentially compromise the confidentiality and integrity of user interactions within the Discourse platform.
While the vulnerability impacts confidentiality and integrity at the application level, it does not affect system availability. The ability to execute malicious scripts in users' browsers could lead to unauthorized access to sensitive information or manipulation of user data, which may have implications for compliance with standards like GDPR and HIPAA that require protection of personal data and secure user interactions.
Mitigation involves updating to patched versions of Discourse where proper HTML escaping is enforced, reducing the risk of data exposure or unauthorized actions that could violate regulatory requirements.