{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33300", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.427Z", "datePublished": "2026-03-31T17:42:00.882Z", "dateUpdated": "2026-04-01T18:34:16.767Z"}, "containers": {"cna": {"title": "Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v"}, {"name": "https://github.com/discourse/discourse/commit/07f66658cce81a099a0d7115db5f3c69f5d3cca2", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/07f66658cce81a099a0d7115db5f3c69f5d3cca2"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.3", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.2", "status": "affected"}, {"version": ">= 2026.3.0-latest, < 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:42:00.882Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "source": {"advisory": "GHSA-wrwm-vqx2-6x4v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:34:07.503883Z", "id": "CVE-2026-33300", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:34:16.767Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33300", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:34:07.503883Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:34:11.859Z"}}], "cna": {"title": "Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint", "source": {"advisory": "GHSA-wrwm-vqx2-6x4v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.3"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.2"}, {"status": "affected", "version": ">= 2026.3.0-latest, < 2026.3.0"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/07f66658cce81a099a0d7115db5f3c69f5d3cca2", "name": "https://github.com/discourse/discourse/commit/07f66658cce81a099a0d7115db5f3c69f5d3cca2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:42:00.882Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33300", "state": "PUBLISHED", "dateUpdated": "2026-04-01T18:34:16.767Z", "dateReserved": "2026-03-18T18:55:47.427Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T17:42:00.882Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "id": "CVE-2026-33300", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T18:16:52.267", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/07f66658cce81a099a0d7115db5f3c69f5d3cca2"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2026.1.0-latest,2026.1.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2026.2.0-latest,2026.2.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2026.3.0-latest,2026.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-31T20:05:44.718755+00:00", "value": {"mitigation_remediation": ["Upgrade Discourse to version 2026.1.3 or newer, to 2026.2.2 or newer, or to 2026.3.0 or newer."], "summary": {"action": "Patch Now", "impact": "Information Disclosure to Moderators"}, "threat_synthesis": {"affected_systems": "Discourse installations running any of the following versions are impacted: 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0\u2011earlier. The issue has been fixed in 2026.1.3, 2026.2.2, and 2026.3.0.", "description_and_impact": "The vulnerability is an authorization bypass in the Category Chatables controller show action. Moderators, who are already authenticated, can access the /category-chatables endpoint and receive metadata about hidden groups, including group names and member counts. This exposes sensitive administrative information that should be concealed, which is a classic information\u2011disclosure weakness (CWE\u2011200).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate level of risk. There is no EPSS score available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a legitimate moderator account, so while external attackers cannot directly abuse the flaw, privileged insiders could use it to learn hidden group membership and potentially track or target users within those groups."}}}}, "created": "2026-03-31T20:11:49.601286+00:00", "updated": "2026-03-31T20:37:31.484678+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}