NIXPKGS-2026-0897
GitHub issue
published on
Permalink
CVE-2026-32618
4.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): NONE
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package discourse-mail-receiver
- @LeSuisse removed package python312Packages.pydiscourse
- @LeSuisse removed package python313Packages.pydiscourse
- @LeSuisse removed package python314Packages.pydiscourse
- @LeSuisse removed package grafanaPlugins.grafana-discourse-datasource
- @LeSuisse removed maintainer @talyz
- @LeSuisse accepted
- @LeSuisse published on GitHub
Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
References
Affected products
discourse
- ==>= 2026.2.0-latest, < 2026.2.2
- ==>= 2026.1.0-latest, < 2026.1.3
- ==>= 2026.3.0-latest, < 2026.3.0
Matching in nixpkgs
pkgs.discourse
Discourse is an open source discussion platform
Package maintainers
Ignored maintainers (1)
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>