CVE-2026-33410
Received Received - Intake
Authorization Bypass in Discourse Chat API Exposes Private Data

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` parameter was passed directly to the user resolution query without checking group or member visibility for the acting user. An authenticated chat user could craft an API request with a known private/hidden group name and receive a channel containing that group's members, leaking their identities. Second, `can_chat?` only checked group membership, not the `chat_enabled` user preference. A chat-disabled user could create or query DM channels between other users via the direct messages API, potentially exposing private `last_message` content from the serialized channel response. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33410
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Discourse, an open-source discussion platform, in versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. It involves two authorization issues in the chat direct message API.

  • First, when creating a direct message channel or adding users, the 'target_groups' parameter was used without verifying if the acting user had visibility of those groups. This allowed an authenticated user to access private or hidden group member identities by crafting a request with a known private group name.
  • Second, the 'can_chat?' check only verified group membership but did not consider if a user had disabled chat via their preferences. This allowed chat-disabled users to create or query direct message channels between other users, potentially exposing private last message content.

These issues were fixed in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. No known workarounds exist.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of private information within the Discourse platform.

  • An attacker with valid chat user credentials could discover the identities of members in private or hidden groups without permission.
  • Users who have disabled chat could still access or create direct message channels between other users, potentially exposing private message content.

Overall, this could result in leakage of sensitive user identities and private message content, compromising user privacy and trust.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade your Discourse installation to one of the patched versions: 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

No known workarounds are available, so applying the official patch is the recommended immediate step.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart