← volver
CVE-2026-33300

Discourse: Hidden group names and access metadata are exposed to moderators through the `category-chatables` endpoint

CVSS 5.3 MEDIUMEPSS 0.2%CWE-200
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
31 mar 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Productos afectados
discourse · discourse

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/discourse/discourse/commit/07f66658cce81a099a0d7115db5f3c69f5d3cca2https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v