CVE-2021-41082
Private message title and participating users leaked in discourse
In short
A bug in Discourse exposed the titles and participant names of private messages containing groups to unauthorized users, though the actual message content remained protected. This leaked sensitive information about who was communicating privately and what they were discussing.
Technical detail
Information disclosure vulnerability in Discourse group private messaging where metadata (title and participant list) was inadvertently exposed in user inboxes despite intact access controls on message content. The issue affected versions where a specific commit exposed group PM metadata before being reverted within 32 minutes; users must upgrade to patched versions or the latest tests-passed branch.
Summary generated and translated by AI from the official description.
Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest commit if they are running Discourse against the `tests-passed` branch.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
discourse · discourseWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →