Discourse leaks private topic metadata to non-authorized users
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
References
- https://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897 x_refsource_MISC
- https://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab x_refsource_MISC
- https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76 x_refsource_CONFIRM
- https://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc x_refsource_MISC
Affected products
- === 2026.3.0-latest
- ==>= 2026.2.0-latest, < 2026.2.1
- ==>= 2026.1.0-latest, < 2026.1.2
Matching in nixpkgs
pkgs.discourse
Discourse is an open source discussion platform
pkgs.discourseAllPlugins
Discourse is an open source discussion platform
pkgs.discourse-mail-receiver
Helper program which receives incoming mail for Discourse
pkgs.python312Packages.pydiscourse
Python library for working with Discourse
pkgs.python313Packages.pydiscourse
Python library for working with Discourse
pkgs.python314Packages.pydiscourse
Python library for working with Discourse
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
Package maintainers
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>
-
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
-
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>