CVE-2026-34947
Received Received - Intake
Information Disclosure in Discourse Public Invite Pages

Publication date: 2026-04-03

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34947
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse 2026.3.0
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (inc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The impact of this vulnerability is that sensitive user information, such as custom fields and usernames of staged users, can be accessed publicly without the user having verified their email. This could lead to privacy concerns, unauthorized data exposure, and potential misuse of user information.

Mitigation Strategies

To mitigate this vulnerability, upgrade your Discourse installation to one of the patched versions: 2026.1.3, 2026.2.2, or 2026.3.0.

These versions fix the issue where staged user custom fields and usernames are exposed on public invite pages without email verification.

Compliance Impact

This vulnerability exposes staged user custom fields and usernames on public invite pages without email verification, potentially leading to unauthorized disclosure of user information.

Such unauthorized exposure of user data could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal information and ensuring proper access controls.

However, specific impacts on compliance or regulatory obligations are not detailed in the provided information.

Executive Summary

This vulnerability affects the Discourse open-source discussion platform in certain versions before they were patched. Specifically, from versions 2026.1.0 up to but not including 2026.1.3, 2026.2.0 up to but not including 2026.2.2, and 2026.3.0 up to but not including 2026.3.0, there is an issue where staged user custom fields and usernames are exposed on public invite pages without requiring email verification.

This means that sensitive user information that should be protected until verification can be viewed publicly on invite pages, potentially exposing user data prematurely.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart