Nixpkgs Security Tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: python314Packages.pydiscourse

Found 33 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-33410
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 2 days, 9 hours ago
Discourse hardens chat DM channel creation and expansion

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` parameter was passed directly to the user resolution query without checking group or member visibility for the acting user. An authenticated chat user could craft an API request with a known private/hidden group name and receive a channel containing that group's members, leaking their identities. Second, `can_chat?` only checked group membership, not the `chat_enabled` user preference. A chat-disabled user could create or query DM channels between other users via the direct messages API, potentially exposing private `last_message` content from the serialized channel response. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-28282
created 2 days, 9 hours ago
Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-27934
created 2 days, 9 hours ago
Discourse leaks private topic title and post excerpt via user action API endpoint

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

References

Affected products

discourse
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Package maintainers