Executive Summary

CVE-2026-32951 is an authorization bypass vulnerability in the Discourse open-source discussion platform. It affects the oneboxer feature, specifically the method that handles inline onebox requests with a category_id parameter. An authenticated user can exploit this flaw by sending a request with the category_id set to the shared drafts category, which allows them to bypass the usual permission checks that restrict access to shared draft topic titles.

Normally, the system checks if a user can see a topic before revealing its title, but due to this vulnerability, the check was skipped if the category_id matched the shared drafts category. This allowed unauthorized users to view the titles of shared draft topics they should not have access to. The vulnerability was fixed by ensuring the permission check is always performed regardless of the category_id.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of information by allowing authenticated users to see the titles of shared draft topics that they normally should not have access to. Although the content of the posts is not exposed, the leakage of draft titles can reveal sensitive or confidential information prematurely.

The impact is considered moderate with a CVSS score of 4.3, as it requires an authenticated user but no user interaction and can be exploited remotely. The integrity and availability of the system are not affected, but confidentiality is impacted at a low level.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for inline onebox requests that include a category_id parameter matching the shared drafts category. Such requests are used by authenticated users to bypass topic-level visibility restrictions and retrieve shared draft topic titles.

To detect exploitation attempts, you can inspect web server logs or application logs for requests to the oneboxer endpoint containing the category_id parameter set to the shared drafts category ID.

Example commands to detect such requests might include:

• Using grep on web server logs to find suspicious requests: grep 'category_id=<shared_drafts_category_id>' /var/log/nginx/access.log
• Using application logs or API logs to search for inline onebox requests with category_id matching the shared drafts category.
• Monitoring authenticated user activity for unusual inline onebox requests that could indicate attempts to access shared draft titles.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Discourse to a patched version: 2026.1.3, 2026.2.2, or 2026.3.0 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, a recommended workaround is to configure the shared_drafts_category site setting to point to a category with strict read restrictions, such as a staff-only category. This enforces the can_see_category? check and blocks unauthorized access before the vulnerable code path is reached.

Additionally, review and tighten category permissions to ensure that only authorized users can access shared drafts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated user to bypass authorization checks and obtain shared draft topic titles that they should not have access to. Although the exposure is limited to topic titles and does not include post content, it constitutes a low confidentiality impact due to unauthorized information disclosure.

Such unauthorized disclosure of information, even if limited, could potentially affect compliance with data protection standards and regulations like GDPR or HIPAA, which require strict controls over access to sensitive or restricted information.

However, the vulnerability has a moderate severity score (CVSS 4.3) and can be mitigated by configuring strict read restrictions on the shared drafts category or by applying the patches provided in later versions of Discourse.

Useful 0 Not Useful 0