CVE-2026-26265 in Discourseinfo

Summary

by MITRE • 02/26/2026

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_field_ids` parameter in `DirectoryItemsController#index` accepts arbitrary user field IDs without authorization checks, bypassing the visibility restrictions (`show_on_profile` / `show_on_user_card`) that are enforced elsewhere (e.g., `UserCardSerializer` via `Guardian#allowed_user_field_ids`). An attacker can request `GET /directory_items.json?period=all&user_field_ids=<id>` with any private field ID and receive that field's value for every user in the directory response. This enables bulk exfiltration of private user data such as phone numbers, addresses, or other sensitive custom fields that admins have explicitly configured as non-public. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As a workaround, site administrators can remove sensitive data from private user fields, or disable the user directory via the `enable_user_directory` site setting.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/03/2026

The vulnerability identified as CVE-2026-26265 affects Discourse, an open source discussion platform, and represents a critical insecure direct object reference issue that compromises user privacy and data protection. This vulnerability exists in versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, where the directory items endpoint fails to properly validate user permissions when processing requests for private user field data. The flaw specifically resides in the DirectoryItemsController#index method which accepts arbitrary user field IDs through the user_field_ids parameter without implementing adequate authorization checks. This design oversight allows any authenticated or anonymous user to bypass the platform's intended access controls and retrieve sensitive information that should remain private according to administrator configuration.

The technical implementation of this vulnerability stems from the absence of proper access control validation within the directory items endpoint. When users make requests to GET /directory_items.json?period=all&user_field_ids=<id>, the system processes these requests without verifying whether the requesting user has permission to access the specified private field data. The platform's normal access control mechanisms, such as the Guardian#allowed_user_field_ids method and UserCardSerializer's enforcement of show_on_profile and show_on_user_card visibility restrictions, are entirely circumvented in this particular endpoint. This creates a pathway for unauthorized data retrieval that directly violates the principle of least privilege and demonstrates a significant failure in the application's authorization architecture. The vulnerability operates at the application layer and can be exploited through simple http requests without requiring complex attack vectors or specialized tools.

The operational impact of this vulnerability is severe and multifaceted, enabling attackers to perform bulk data exfiltration of private user information including but not limited to phone numbers, physical addresses, and other sensitive custom fields that administrators have explicitly configured as non-public. This represents a direct violation of user privacy and could potentially expose individuals to identity theft, harassment, or other malicious activities. The scope of compromise extends to all users within the directory, meaning that an attacker could systematically harvest personal information from every user account that has private fields configured, creating a comprehensive database of sensitive personal information. The vulnerability's impact is particularly concerning given that it affects anonymous users as well as authenticated users, removing any barrier to exploitation and expanding the potential attack surface significantly.

The security implications of this vulnerability align with CWE-284 (Improper Access Control) and represent a clear violation of the principle of least privilege in information security. From an ATT&CK framework perspective, this vulnerability maps to T1213 (Data from Information Repositories) and T1078 (Valid Accounts) as it enables unauthorized access to user data repositories and leverages legitimate user access points to extract sensitive information. The vulnerability is particularly concerning because it affects the core functionality of user directory services, which are commonly used for community engagement, user discovery, and social networking features. The patched versions address this issue by implementing proper filtering of user_field_ids against UserField.public_fields for non-staff users before constructing the custom field map, ensuring that only authorized field data is accessible through the directory endpoint. This remediation approach follows established security best practices by implementing proper input validation and access control checks at the application layer. Site administrators can also implement workarounds such as removing sensitive data from private user fields or disabling the user directory entirely through the enable_user_directory site setting, providing immediate mitigation options while the software updates are deployed.

The vulnerability demonstrates a fundamental flaw in the platform's security architecture where endpoint-specific access controls were not properly implemented or maintained across different application components. This type of issue commonly occurs when developers focus on core functionality while neglecting to implement comprehensive access control checks for all data retrieval endpoints, particularly those that aggregate data from multiple sources. The patch implementation in versions 2025.12.2, 2026.1.1, and 2026.2.0 represents a proper remediation that ensures consistency between the directory endpoint access controls and the platform's overall security model. Organizations using Discourse should prioritize updating to these patched versions immediately and conduct thorough security reviews of their user directory configurations to identify and remediate any similar access control vulnerabilities that may exist in other parts of their platform infrastructure.

Responsible

GitHub M

Reservation

02/12/2026

Disclosure

02/26/2026

Moderation

accepted

CPE

ready

EPSS

0.00266

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!