In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-32114 was detected. This vulnerability allows any authenticated user to access restricted metadata about AI personas, features, and LLM models via unscoped status lookups, exposing information such as credit allocations and usage statistics. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1, 2026.1.2, or disable the AI plugin as a workaround. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-32114.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-32099 was detected. This vulnerability allows authenticated users to access hidden profile information—such as bio, location, and website—through the user onebox preview, even when hide_profile is enabled. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-32099.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-33395 was detected. This vulnerability allows authenticated users to inject malicious JavaScript through DOT graph definitions in the discourse-graphviz plugin, leading to stored cross-site scripting (XSS) in instances with CSP disabled. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33395.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a low severity vulnerability CVE-2026-33408 was detected. This vulnerability allows moderators to view the first 40 characters of post edits in private messages and private categories, bypassing intended access restrictions. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33408.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-31805 was detected. This vulnerability allows authenticated users to bypass authorization in the poll plugin, enabling them to vote, remove votes, or toggle the open/closed status of polls they should not have access to by manipulating the post_id array parameter. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-31805.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-32099 was detected. This vulnerability allows authenticated users to access hidden profile information—such as bio, location, and website—through the user onebox preview, even when hide_profile is enabled. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-32099.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-33355 was detected. This vulnerability allows regular participants in private message topics to view whisper posts via the `/private-posts` endpoint, bypassing intended post-type visibility restrictions. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33355.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a high severity vulnerability CVE-2026-33410 was detected. This vulnerability allows attackers to bypass authorization checks in the chat direct message API, potentially exposing private group member identities and message content by abusing improper validation of the target_groups parameter and insufficient checks on user chat settings. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33410.
In Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 a medium severity vulnerability CVE-2026-33393 was detected. This vulnerability allows attackers to bypass spam protection by exploiting improper domain boundary validation in the allowed_spam_host_domains check, enabling domains like attacker-example.com to circumvent restrictions when example.com was allowlisted. To address this issue, users should upgrade Discourse to versions 2026.3.0-latest.1, 2026.2.1 or 2026.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-33393.