{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32620", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.557Z", "datePublished": "2026-03-31T17:41:03.246Z", "dateUpdated": "2026-04-01T13:48:23.128Z"}, "containers": {"cna": {"title": "Discourse: Missing post-level authorization allows whisper metadata disclosure", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-xgg2-vwr6-2c65", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-xgg2-vwr6-2c65"}, {"name": "https://github.com/discourse/discourse/commit/bf8dbf6155ae483245d42a0164181bc226af674d", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/bf8dbf6155ae483245d42a0164181bc226af674d"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.3", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.2", "status": "affected"}, {"version": ">= 2026.3.0-latest, < 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:41:03.246Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content was exposed, only metadata about who read the post and when. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "source": {"advisory": "GHSA-xgg2-vwr6-2c65", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T13:48:15.303289Z", "id": "CVE-2026-32620", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:48:23.128Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32620", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T13:48:15.303289Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:48:19.026Z"}}], "cna": {"title": "Discourse: Missing post-level authorization allows whisper metadata disclosure", "source": {"advisory": "GHSA-xgg2-vwr6-2c65", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.3"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.2"}, {"status": "affected", "version": ">= 2026.3.0-latest, < 2026.3.0"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-xgg2-vwr6-2c65", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-xgg2-vwr6-2c65", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/bf8dbf6155ae483245d42a0164181bc226af674d", "name": "https://github.com/discourse/discourse/commit/bf8dbf6155ae483245d42a0164181bc226af674d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content was exposed, only metadata about who read the post and when. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:41:03.246Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32620", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:48:23.128Z", "dateReserved": "2026-03-12T15:29:36.557Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T17:41:03.246Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content was exposed, only metadata about who read the post and when. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "id": "CVE-2026-32620", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T18:16:50.690", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/bf8dbf6155ae483245d42a0164181bc226af674d"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-xgg2-vwr6-2c65"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.3.0-latest,2026.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-31T19:36:54.358591+00:00", "value": {"mitigation_remediation": ["Upgrade Discourse to version 2026.1.3, 2026.2.2, or 2026.3.0, which contain the patch for the missing authorization check.", "Verify that staff\u2011only posts no longer expose read\u2011receipt metadata by testing with a non\u2011staff account after the upgrade."], "summary": {"action": "Patch", "impact": "Metadata Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Discourse releases 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0 prior to the release of 2026.3.0. The flaw is resolved in versions 2026.1.3, 2026.2.2, and 2026.3.0. Administrators should confirm the running version and plan an upgrade if the environment is within the affected ranges.", "description_and_impact": "Discourse has a post\u2011level authorization flaw that permits any logged\u2011in user who is not staff to see read\u2011receipt metadata for staff\u2011only posts. Attendees can learn which staff members viewed the post and the timestamp of each read event, without accessing the actual content. The exposed data, while not compromising secrets, can reveal staff engagement patterns and serve as a reconnaissance vector, typifying the CWE\u2011200 information\u2011disclosure weakness.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates a moderate risk level. Exploitation requires only authenticated access via the web interface and no elevated privileges, implying a relatively high likelihood of use in environments where non\u2011staff users are available. EPSS data is not provided, and the issue is not listed in the CISA KEV catalog, but the nature of the data leak can aid attackers in mapping staff interaction and planning further attacks. The attack vector is inferred to be a web\u2011based API or UI that returns read receipt information without proper authorization checks."}}}}, "created": "2026-03-31T19:53:40.111523+00:00", "updated": "2026-03-31T20:37:35.440520+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}