CVE-2026-32244
Outdated Cached AI Summaries Information Disclosure in Discourse
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | to 2026.1.4 (exc) |
| discourse | discourse | to 2026.3.0-latest (exc) |
| discourse | discourse | to 2026.4.0-latest (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-524 | The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-672 | The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Discourse allows unauthorized anonymous and unprivileged users to access outdated cached AI summaries containing removed content, leading to a confidentiality breach.
Such unauthorized disclosure of potentially sensitive or personal information could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and access to personal and sensitive data.
The issue has been fixed in later versions, and a workaround involves restricting summary generation to tighter groups, which helps mitigate the risk of unauthorized data exposure.
Can you explain this vulnerability to me?
This vulnerability in Discourse, an open-source discussion platform, involves cached outdated AI-generated summaries that can leak content which had been removed from posts.
Specifically, in versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1, anonymous and unprivileged users could access these outdated summaries without the ability to regenerate them, potentially exposing removed or sensitive information.
The issue has been fixed in the mentioned updated versions, and a suggested workaround is to restrict summary generation by tightening the allowed groups on the summarization Personas.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users, including anonymous and unprivileged users, to view content that was intended to be removed or hidden.
Since the leaked information comes from cached AI summaries, sensitive or confidential data could be exposed unintentionally.
The vulnerability has a moderate severity with a CVSS score of 5.3, meaning it can be exploited remotely without any privileges or user interaction, posing a confidentiality risk.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, restrict summary generation by tightening the allowed groups on the summarization Personas.
Additionally, update Discourse to one of the patched versions: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1, where the issue has been fixed.