CVE-2026-33425
Received Received - Intake
Information Disclosure via User Directory Enumeration in Discourse

Publication date: 2026-03-21

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, unauthenticated users can determine whether a specific user is a member of a private group by observing changes in directory results when using the `exclude_groups` parameter. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable public access to the user directory via Admin β†’ Settings β†’ hide user profiles from public.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33425
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33425 is a vulnerability in the Discourse open-source discussion platform that allows unauthenticated users to determine whether a specific user is a member of a private group. This is done by exploiting the behavior of the `exclude_groups` parameter in directory queries. By observing changes in directory results when using this parameter, an attacker can infer private group membership or the existence of private groups.

The vulnerability arises from authorization weaknesses, including observable discrepancies in system behavior, authorization bypass through user-controlled keys, and missing authorization checks.

It affects versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, which contain patches for this issue.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing unauthorized, unauthenticated users to gain limited information about private group memberships within your Discourse platform. Although it does not allow modification or deletion of data, it leaks confidential information about user group memberships.'}, {'type': 'paragraph', 'content': 'This information disclosure could be used for targeted social engineering or reconnaissance by attackers.'}, {'type': 'paragraph', 'content': 'A recommended mitigation is to disable public access to the user directory by enabling the "hide user profiles from public" setting in the admin panel.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing the behavior of the Discourse user directory when using the `exclude_groups` parameter in directory queries. Specifically, an unauthenticated user can send requests to the directory endpoint with and without the `exclude_groups` parameter and compare the results. Differences in the directory results indicate whether a specific user is a member of a private group.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can perform HTTP requests to the Discourse user directory API endpoint, for example using curl commands, and compare the responses.'}, {'type': 'list_item', 'content': "curl -s 'https://your-discourse-site.com/directory_items.json?exclude_groups=private_group_name' -o response_with_exclude.json"}, {'type': 'list_item', 'content': "curl -s 'https://your-discourse-site.com/directory_items.json' -o response_without_exclude.json"}, {'type': 'paragraph', 'content': 'By comparing the two responses (response_with_exclude.json and response_without_exclude.json), you can determine if the directory results differ based on the `exclude_groups` parameter, which indicates the presence of the vulnerability.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to disable public access to the user directory in Discourse. This can be done by enabling the setting "hide user profiles from public" in the Admin panel under Settings.'}, {'type': 'paragraph', 'content': 'Additionally, upgrading Discourse to one of the patched versions 2026.1.2, 2026.2.1, or 2026.3.0-latest.1 will fully resolve the vulnerability.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33425. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart