CVE-2026-33415

EUVD-2026-17574

31.03.2026, 18:16

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	2.7 LOW	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 12%

Affected Products (NVD)

Vendor	Product	Version
discourse	discourse	2026.1.0 ≤ 𝑥 < 2026.1.3
discourse	discourse	2026.2.0 ≤ 𝑥 < 2026.2.2
discourse	discourse	2026.3.0
discourse	discourse	2026.3.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://github.com/discourse/discourse/commit/e1bb146a1fadc863a516fbc26c6277273a025308

https://github.com/discourse/discourse/security/advisories/GHSA-vj5f-gg8m-93xg