Discourse: Admin-only report can be exported by moderators_CVE-2026-32143

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for admins. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Basic Information

ID CVE-2026-32143

Source GitHub_M

Published Mar 31, 2026 at 17:39

Modified Apr 1, 2026 at 18:05

Affected Product

Vendor discourse

Product discourse

Version >= 2026.1.0-latest, < 2026.1.3

Affected Versions discourse discourse >= 2026.1.0-latest, < 2026.1.3
discourse discourse >= 2026.2.0-latest, < 2026.2.2
discourse discourse >= 2026.3.0-latest, < 2026.3.0

CWE Classification

CWE-200

References

{
    "lastseen": "",
    "description": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for admins. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.",
    "published": "2026-03-31T17:39:25.635Z",
    "modified": "2026-04-01T18:05:32.105Z",
    "type": "cve",
    "title": "Discourse: Admin-only report can be exported by moderators",
    "source": "GitHub_M",
    "references": "https://github.com/discourse/discourse/security/advisories/GHSA-rhjf-mgqw-37wq\nhttps://github.com/discourse/discourse/commit/727029a2983a14b50bce19439fbf9840db8372aa",
    "id": "CVE-2026-32143",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "discourse discourse >= 2026.1.0-latest, < 2026.1.3\ndiscourse discourse >= 2026.2.0-latest, < 2026.2.2\ndiscourse discourse >= 2026.3.0-latest, < 2026.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "discourse",
    "version": ">= 2026.1.0-latest, < 2026.1.3",
    "vendor": "discourse",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}