BIT-DISCOURSE-2026-33300 Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been...

BIT-DISCOURSE-2026-33185 Discourse: Group SMTP test endpoint susceptible to SSRF

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts and ports. This could allow probing of internal...

BIT-DISCOURSE-2026-33074 Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher tier subscription. This issue has been patched in...

BIT-DISCOURSE-2026-33073 discourse-subscriptions plugin leaking stripe API key in multisite environment

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across...

BIT-DISCOURSE-2026-32951 Discourse: Authorization bypass in oneboxer via user-controlled category id

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, an authenticated user can obtain shared draft topic titles by sending an inline onebox request with a categoryid parameter matching the shared drafts category. This issue h...

BIT-DISCOURSE-2026-32620 Discourse: Missing post-level authorization allows whisper metadata disclosure

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content was exposed, only metadata about who read the post...

BIT-DISCOURSE-2026-32619 Discourse: Insufficient topic visibility check allows unauthorized poll manipulation in private categories

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, users who lost access to a topic e.g., removed from a private category group could still interact with polls in that topic, including voting and toggling poll status. No...

BIT-DISCOURSE-2026-32618 Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0...

BIT-DISCOURSE-2026-32615 Discourse: Category group moderators can perform actions on topics in restricted categories without read access

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, category group moderators could perform privileged actions on topics inside private categories they did not have read access to. This issue has been patched in versions...

BIT-DISCOURSE-2026-32607 Discourse: Stored XSS via unescaped assignee name

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, when the hidden prioritizefullnameinux site setting is enabled defaults to false, requires console access to change, user and group display names are rendered without HTML...

BIT-DISCOURSE-2026-32273 Discourse: XSS on category description update via API

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issue has been patched in versions 2026.1.3, 2026.2.2,...

BIT-DISCOURSE-2026-32243 Discourse: Stored XSS in discourse-ai shared conversations onebox

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted conversation titles. This payload would execute in the...

BIT-DISCOURSE-2026-32113 Discourse: Open redirect via `sso_destination_url` cookie in `enter`

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, the enter action in StaticController reads the ssodestinationurl cookie and redirects to it with allowotherhost: true without validating the destination URL. While this...

CVE-2026-34947

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been...

CVE-2026-27481

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass vulnerability allows unauthenticated or unauthorized users to view hidden staff-only tags and its...

CVE-2026-34947

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been...

CVE-2026-27481

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass vulnerability allows unauthenticated or unauthorized users to view hidden staff-only tags and its...

CVE-2026-34947 Discourse: Staged user custom fields are exposed on public invite pages

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been...

EUVD-2026-18882

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been...

CVE-2026-34947

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been...