CVE-2026-59828
Undergoing Analysis Undergoing Analysis - In Progress

Information Disclosure in Discourse Post Revisions

Vulnerability report for CVE-2026-59828, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, post revisions that should be hidden from regular users could be leaked through visible diffs on adjacent revisions serialized by PostRevisionSerializer. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
discourse discourse to 2026.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Discourse open-source discussion platform. Before certain fixed versions (2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5), post revisions that were intended to be hidden from regular users could be exposed. This exposure happened through visible differences (diffs) on adjacent revisions that were serialized by the PostRevisionSerializer, allowing unauthorized users to see content that should have been concealed.

Compliance Impact

This vulnerability allows leakage of post revisions that should be hidden from regular users through visible diffs on adjacent revisions. Such unintended data exposure could potentially lead to unauthorized disclosure of sensitive information.

Unauthorized data exposure may impact compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.

However, the specific impact on compliance depends on the nature of the leaked data and the context in which the platform is used.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of information that was meant to be hidden from regular users. This means sensitive or private content in post revisions could be leaked, potentially compromising user privacy or exposing confidential discussions.

Mitigation Strategies

To mitigate this vulnerability, upgrade your Discourse installation to one of the fixed versions: 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5.

Detection Guidance

This vulnerability involves hidden post revisions being leaked through visible diffs on adjacent revisions in the Discourse platform. Detection involves verifying whether your Discourse instance is running a vulnerable version prior to the patched releases (2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5).

To detect if your system is vulnerable, you can check the Discourse version by running the following command on your server:

  • cd /var/discourse && ./launcher enter app
  • bundle exec rails c
  • puts Discourse::VERSION::STRING

If the version is older than the patched versions, your system is vulnerable.

To detect if hidden post revisions are leaking, you can attempt to view post revision diffs as a non-staff user and check if diffs reveal content or metadata from revisions that should be hidden. This can be done by reviewing the post revision history UI or by querying the API endpoints related to post revisions and inspecting the diff data for unauthorized exposure.

There are no specific network commands or automated detection scripts provided in the resources, but manual verification of Discourse version and testing revision diffs visibility as a non-staff user are recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart