{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33415", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.171Z", "datePublished": "2026-03-31T17:42:15.870Z", "dateUpdated": "2026-03-31T17:42:15.870Z"}, "containers": {"cna": {"title": "Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-vj5f-gg8m-93xg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-vj5f-gg8m-93xg"}, {"name": "https://github.com/discourse/discourse/commit/e1bb146a1fadc863a516fbc26c6277273a025308", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/e1bb146a1fadc863a516fbc26c6277273a025308"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.3", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.2", "status": "affected"}, {"version": ">= 2026.3.0-latest, < 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:42:15.870Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "source": {"advisory": "GHSA-vj5f-gg8m-93xg", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "id": "CVE-2026-33415", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T18:16:52.410", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/e1bb146a1fadc863a516fbc26c6277273a025308"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-vj5f-gg8m-93xg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.3.0-latest,2026.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-31T19:35:37.469867+00:00", "value": {"mitigation_remediation": ["Upgrade Discourse to at least version 2026.1.3, 2026.2.2, or 2026.3.0, whichever applies to your deployment.", "If an upgrade is not immediately possible, consider disabling the sentiment\u2011analytics endpoint or restricting moderator access to that endpoint temporarily.", "Verify that the vulnerability no longer exists by testing the endpoint after applying the patch.", "Monitor Discourse\u2019s release notes and security advisories for any additional patches."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Information Disclosure"}, "threat_synthesis": {"affected_systems": "Discourse software versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and any 2026.3.0 release before the 2026.3.0 patch are vulnerable. The issue was fixed in 2026.1.3, 2026.2.2, and 2026.3.0. Administrators should verify their installed version and consult the vendor\u2019s advisory for exact upgrade instructions.", "description_and_impact": "An access control flaw in Discourse\u2019s sentiment\u2011analytics endpoint allows an authenticated user with moderator privileges to read posts, topic titles, and usernames in categories that should be restricted. This bypasses normal category permissions and leads to confidential content being exposed to users without proper authorization. The weakness is a classic information\u2011leak vulnerability (CWE\u2011284), providing attackers with potential insight into private discussions or sensitive data.", "risk_and_exploitability": "With a CVSS score of 5.1, the problem is considered moderate severity; exploitation requires a valid moderator account, so the attack surface is limited to users with elevated privileges. No publicly known exploits were reported and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, because it compromises confidentiality, prompt patching is recommended once an updated version is available."}}}}, "created": "2026-03-31T19:53:36.324479+00:00", "updated": "2026-03-31T20:37:30.561338+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}