CVE-2026-45085
Received Received - Intake
Authorization Bypass in Discourse Chat Plugin

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin (one also involving discourse-calendar): read-only category users could create chat threads, self-deleted chat messages could be restored by their author after channel access was revoked, moderators reviewing a flagged chat message were shown the channel's current last_message (often unrelated DM content), and calendar event payloads exposed the attached chat channel and its last message to viewers without chat access (including anonymous users). This affects sites with the chat plugin enabled; the calendar issue additionally requires discourse-calendar. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-45085
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.4 (exc)
discourse discourse From 2026.3.0 (inc) to 2026.3.1 (exc)
discourse discourse From 2026.4.0 (inc) to 2026.4.1 (exc)
discourse discourse 2026.1.4
discourse discourse 2026.3.1
discourse discourse 2026.4.1
discourse discourse 2026.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Discourse open-source discussion platform, specifically in certain versions of its chat plugin and the discourse-calendar plugin. It involves four authorization and information disclosure issues: users with read-only category permissions could create chat threads; users who deleted their own chat messages could restore them even after losing channel access; moderators reviewing flagged chat messages were shown the channel's current last message, which could be unrelated direct message content; and calendar event payloads exposed the attached chat channel and its last message to viewers without chat access, including anonymous users.

Impact Analysis

The vulnerability can lead to unauthorized actions and information disclosure. Specifically, users with limited permissions might perform actions they should not be allowed to, such as creating chat threads. Deleted messages could be restored by their authors even after access revocation, potentially exposing sensitive content. Moderators might see unrelated private messages when reviewing flagged content, risking privacy breaches. Additionally, calendar events could leak chat channel information and messages to unauthorized or anonymous users, compromising confidentiality.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Discourse installation to one of the patched versions: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest. These versions contain fixes for the authorization and disclosure issues in the chat plugin and the calendar integration.

Additionally, ensure that the chat plugin is properly configured and consider disabling it temporarily if upgrading is not immediately possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45085. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart