CVE-2026-33425
Information Disclosure via User Directory Enumeration in Discourse
Publication date: 2026-03-21
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.2 (exc) |
| discourse | discourse | From 2026.2.0 (inc) to 2026.2.1 (exc) |
| discourse | discourse | 2026.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33425 is a vulnerability in the Discourse open-source discussion platform that allows unauthenticated users to determine whether a specific user is a member of a private group. This is done by exploiting the behavior of the `exclude_groups` parameter in directory queries. By observing changes in directory results when using this parameter, an attacker can infer private group membership or the existence of private groups.
The vulnerability arises from authorization weaknesses, including observable discrepancies in system behavior, authorization bypass through user-controlled keys, and missing authorization checks.
It affects versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, which contain patches for this issue.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing unauthorized, unauthenticated users to gain limited information about private group memberships within your Discourse platform. Although it does not allow modification or deletion of data, it leaks confidential information about user group memberships.'}, {'type': 'paragraph', 'content': 'This information disclosure could be used for targeted social engineering or reconnaissance by attackers.'}, {'type': 'paragraph', 'content': 'A recommended mitigation is to disable public access to the user directory by enabling the "hide user profiles from public" setting in the admin panel.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by observing the behavior of the Discourse user directory when using the `exclude_groups` parameter in directory queries. Specifically, an unauthenticated user can send requests to the directory endpoint with and without the `exclude_groups` parameter and compare the results. Differences in the directory results indicate whether a specific user is a member of a private group.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can perform HTTP requests to the Discourse user directory API endpoint, for example using curl commands, and compare the responses.'}, {'type': 'list_item', 'content': "curl -s 'https://your-discourse-site.com/directory_items.json?exclude_groups=private_group_name' -o response_with_exclude.json"}, {'type': 'list_item', 'content': "curl -s 'https://your-discourse-site.com/directory_items.json' -o response_without_exclude.json"}, {'type': 'paragraph', 'content': 'By comparing the two responses (response_with_exclude.json and response_without_exclude.json), you can determine if the directory results differ based on the `exclude_groups` parameter, which indicates the presence of the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to disable public access to the user directory in Discourse. This can be done by enabling the setting "hide user profiles from public" in the Admin panel under Settings.'}, {'type': 'paragraph', 'content': 'Additionally, upgrading Discourse to one of the patched versions 2026.1.2, 2026.2.1, or 2026.3.0-latest.1 will fully resolve the vulnerability.'}] [1]