CVE-2026-33410
Received Received - Intake
Authorization Bypass in Discourse Chat API Exposes Private Data

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` parameter was passed directly to the user resolution query without checking group or member visibility for the acting user. An authenticated chat user could craft an API request with a known private/hidden group name and receive a channel containing that group's members, leaking their identities. Second, `can_chat?` only checked group membership, not the `chat_enabled` user preference. A chat-disabled user could create or query DM channels between other users via the direct messages API, potentially exposing private `last_message` content from the serialized channel response. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33410
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Discourse, an open-source discussion platform, in versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. It involves two authorization issues in the chat direct message API.

  • First, when creating a direct message channel or adding users, the 'target_groups' parameter was used without verifying if the acting user had visibility of those groups. This allowed an authenticated user to access private or hidden group member identities by crafting a request with a known private group name.
  • Second, the 'can_chat?' check only verified group membership but did not consider if a user had disabled chat via their preferences. This allowed chat-disabled users to create or query direct message channels between other users, potentially exposing private last message content.

These issues were fixed in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. No known workarounds exist.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private information within the Discourse platform.

  • An attacker with valid chat user credentials could discover the identities of members in private or hidden groups without permission.
  • Users who have disabled chat could still access or create direct message channels between other users, potentially exposing private message content.

Overall, this could result in leakage of sensitive user identities and private message content, compromising user privacy and trust.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Discourse installation to one of the patched versions: 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

No known workarounds are available, so applying the official patch is the recommended immediate step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33410. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart