Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id_CVE-2026-32618

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Basic Information

ID CVE-2026-32618

Source GitHub_M

Published Mar 31, 2026 at 17:40

Modified Apr 3, 2026 at 16:20

Affected Product

Vendor discourse

Product discourse

Version >= 2026.1.0-latest, < 2026.1.3

Affected Versions discourse discourse >= 2026.1.0-latest, < 2026.1.3
discourse discourse >= 2026.2.0-latest, < 2026.2.2
discourse discourse >= 2026.3.0-latest, < 2026.3.0

CWE Classification

CWE-200

References

{
    "lastseen": "",
    "description": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.",
    "published": "2026-03-31T17:40:41.484Z",
    "modified": "2026-04-03T16:20:00.471Z",
    "type": "cve",
    "title": "Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id",
    "source": "GitHub_M",
    "references": "https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3\nhttps://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64",
    "id": "CVE-2026-32618",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "discourse discourse >= 2026.1.0-latest, < 2026.1.3\ndiscourse discourse >= 2026.2.0-latest, < 2026.2.2\ndiscourse discourse >= 2026.3.0-latest, < 2026.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "discourse",
    "version": ">= 2026.1.0-latest, < 2026.1.3",
    "vendor": "discourse",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}