CVE-2026-23743 in Discourse
Summary
by MITRE • 01/28/2026
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/31/2026
This vulnerability in the Discourse discussion platform represents a critical information disclosure flaw that undermines the system's access control mechanisms. The issue affects versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, where the platform fails to properly enforce authorization checks when handling permalinks to restricted content. When users attempt to access private topics, categories, posts, or hidden tags, the system incorrectly redirects them to URLs containing the resource slugs without verifying their permission levels. This behavior creates a pathway for unauthorized information leakage through multiple vectors including HTTP redirect responses and error page functionality.
The technical implementation flaw stems from inadequate access validation during permalink processing, where the system relies on URL parameters that contain sensitive resource identifiers rather than performing proper authentication and authorization checks before exposing content references. This vulnerability aligns with CWE-200, which addresses information exposure through improper access control mechanisms, and specifically demonstrates weaknesses in access control enforcement within web applications. The flaw allows attackers to discover the existence of private content through redirect responses, where the Location header reveals resource slugs that would otherwise be protected from unauthorized access.
The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable further attack vectors. Attackers can leverage the leaked information to construct targeted attacks against private topics or categories, potentially leading to social engineering campaigns or exploitation of sensitive discussions. The exposure occurs through both the redirect Location header mechanism and the 404 page search functionality, creating multiple attack surfaces for information gathering. This type of vulnerability is particularly concerning in collaborative platforms where private discussions may contain sensitive organizational information, personal data, or strategic communications that should remain confidential.
The mitigation strategy requires immediate deployment of patched versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, as no workarounds are available for this specific issue. Organizations should conduct thorough testing of their Discourse installations to ensure all affected versions are updated and verify that access controls are properly enforced. Security teams should monitor for potential exploitation attempts using the leaked information and consider implementing additional monitoring for unusual redirect patterns or search queries that might indicate reconnaissance activities. This vulnerability demonstrates the importance of proper access control implementation and the potential consequences of failing to validate user permissions before exposing resource identifiers in web applications. The issue also highlights the need for comprehensive security testing of redirect mechanisms and error handling code paths that might inadvertently reveal sensitive information through HTTP headers or client-side interfaces.