Executive Summary

CVE-2026-33300 is an authorization bypass vulnerability in the Discourse open-source discussion platform affecting certain versions before patch releases. It occurs in the Category Chatables Controller's show action, where moderators can access information about hidden groups, including their names and user counts, which should normally be confidential.

The vulnerability allows moderators to bypass intended group visibility restrictions via the category-chatables endpoint, exposing owner-only or private groups that should remain hidden.

This issue can be exploited remotely with low complexity and requires only moderator-level privileges, without any user interaction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of hidden group information, such as group names and member counts, to moderators who should not have access to this data.

While the impact on confidentiality is considered low, it exposes sensitive metadata about private or owner-only groups, potentially compromising privacy expectations within the platform.

There is no impact on data integrity or system availability, and no known workarounds exist other than upgrading to patched versions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if moderators can access hidden group names and user counts through the category-chatables endpoint in Discourse. Since the issue involves an authorization bypass in the Category Chatables Controller's show action, a test can be performed by making a request to this endpoint as a moderator and verifying if hidden or private groups are visible.

A possible approach is to use HTTP request commands (e.g., curl) to query the category-chatables endpoint with moderator credentials and inspect the response for unauthorized group information exposure.

• Use a command like: curl -u moderator_username:password https://your-discourse-instance.com/category-chatables/<category_id> -v
• Check the response for any hidden or private group names and user counts that should not be visible to moderators.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Discourse to one of the patched versions: 2026.1.3, 2026.2.2, or 2026.3.0.

No known workarounds exist for this vulnerability, so applying the official security patch is necessary to prevent unauthorized disclosure of hidden group information.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows moderators to bypass authorization controls and access hidden group names and user counts that should remain confidential.

Although the impact on confidentiality is considered low, the unauthorized disclosure of group membership information could potentially conflict with privacy requirements in standards like GDPR or HIPAA, which mandate strict controls over access to personal or sensitive information.

Therefore, if the hidden groups or user counts contain personal or sensitive data protected under such regulations, this vulnerability could lead to non-compliance by exposing information to unauthorized users.

The issue has been patched in later versions, and upgrading is strongly recommended to maintain compliance and protect confidential information.

Useful 0 Not Useful 0