Discourse: Staged user custom fields are exposed on public invite...

2.7 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Basic Information

ID CVE-2026-34947

Source GitHub_M

Published Apr 3, 2026 at 21:27

Modified Apr 7, 2026 at 14:17

Affected Product

Vendor discourse

Product discourse

Version >= 2026.1.0-latest, < 2026.1.3

Affected Versions discourse discourse >= 2026.1.0-latest, < 2026.1.3
discourse discourse >= 2026.2.0-latest, < 2026.2.2
discourse discourse >= 2026.3.0-latest, < 2026.3.0

CWE Classification

CWE-200

References

github.com /discourse/discourse/security/advisories/GHSA-4rcw-wq9x-54qw

{
    "lastseen": "",
    "description": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.",
    "published": "2026-04-03T21:27:59.837Z",
    "modified": "2026-04-07T14:17:59.649Z",
    "type": "cve",
    "title": "Discourse: Staged user custom fields are exposed on public invite pages",
    "source": "GitHub_M",
    "references": "https://github.com/discourse/discourse/security/advisories/GHSA-4rcw-wq9x-54qw",
    "id": "CVE-2026-34947",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "discourse discourse >= 2026.1.0-latest, < 2026.1.3\ndiscourse discourse >= 2026.2.0-latest, < 2026.2.2\ndiscourse discourse >= 2026.3.0-latest, < 2026.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 2.7,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "discourse",
    "version": ">= 2026.1.0-latest, < 2026.1.3",
    "vendor": "discourse",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Discourse: Staged user custom fields are exposed on public invite pages_CVE-2026-34947