CVE-2026-32244
Analyzed Analyzed - Analysis Complete
Outdated Cached AI Summaries Information Disclosure in Discourse

Publication date: 2026-05-19

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. To work around this issue, restrict summary generation by tightening the allowed groups on the summarization Personas.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-06-01
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-32244
EUVD
EUVD-2026-30815
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
discourse discourse 2026.5.0
discourse discourse From 2026.1.0 (inc) to 2026.1.4 (exc)
discourse discourse From 2026.3.0 (inc) to 2026.3.1 (exc)
discourse discourse From 2026.4.0 (inc) to 2026.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Discourse, an open-source discussion platform, involves cached outdated AI-generated summaries that can leak content which had been removed from posts.

Specifically, in versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1, anonymous and unprivileged users could access these outdated summaries without the ability to regenerate them, potentially exposing removed or sensitive information.

The issue has been fixed in the mentioned updated versions, and a suggested workaround is to restrict summary generation by tightening the allowed groups on the summarization Personas.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users, including anonymous and unprivileged users, to view content that was intended to be removed or hidden.

Since the leaked information comes from cached AI summaries, sensitive or confidential data could be exposed unintentionally.

The vulnerability has a moderate severity with a CVSS score of 5.3, meaning it can be exploited remotely without any privileges or user interaction, posing a confidentiality risk.

Mitigation Strategies

To mitigate this vulnerability immediately, restrict summary generation by tightening the allowed groups on the summarization Personas.

Additionally, update Discourse to one of the patched versions: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1, where the issue has been fixed.

Compliance Impact

This vulnerability in Discourse allows unauthorized anonymous and unprivileged users to access outdated cached AI summaries containing removed content, leading to a confidentiality breach.

Such unauthorized disclosure of potentially sensitive or personal information could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and access to personal and sensitive data.

The issue has been fixed in later versions, and a workaround involves restricting summary generation to tighter groups, which helps mitigate the risk of unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart