CVE-2026-31869 in Discourse
Summary
by MITRE • 03/20/2026
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hidden-membership group and probing arbitrary usernames, an attacker can infer membership based on whether user_reasons returns "private" for a given user. This bypasses group member-visibility controls. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. To work around this issue, restrict the messageable policy of any hidden-membership group to staff or group members only, so untrusted users cannot reach the vulnerable code path.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability described in CVE-2026-31869 represents a critical information disclosure flaw within the Discourse open-source discussion platform that affects versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. This issue resides in the ComposerController#mentions endpoint which is responsible for handling user mentions within the platform's messaging and discussion features. The flaw specifically targets groups with hidden membership visibility settings, creating a bypass mechanism that allows authenticated users to indirectly discover who belongs to these restricted groups through a technique known as inference attacks.
The technical implementation of this vulnerability exploits the way the platform handles group membership queries when users attempt to mention members of groups they cannot directly access. When an attacker supplies a list of usernames through the allowed_names parameter that references a hidden-membership group, the system responds differently based on whether the target user is actually a member of that group. The endpoint returns distinct responses where user_reasons field contains "private" for users who are not members of the hidden group, while legitimate members receive different response patterns. This differential response behavior creates a side-channel attack vector that enables the attacker to systematically probe membership by testing various usernames against the vulnerable endpoint.
From an operational impact perspective, this vulnerability undermines the fundamental security model of group visibility controls within Discourse. The attack allows threat actors to map out hidden group memberships without direct authorization, potentially exposing sensitive user relationships, administrative structures, or private communities. This information disclosure could lead to further attacks including social engineering, targeted phishing campaigns, or exploitation of specific group members. The vulnerability is particularly concerning because it affects authenticated users who may not have legitimate access to the target groups, creating a scenario where unauthorized information gathering becomes possible through legitimate platform functionality.
The security implications extend beyond simple information disclosure and align with several cybersecurity frameworks including CWE-200 (Information Exposure) and ATT&CK technique T1213 (Data from Information Repositories) where adversaries gather information about system components and their relationships. The vulnerability demonstrates a failure in proper access control enforcement at the application layer, specifically in how the system handles membership queries for restricted groups. Organizations using Discourse without the patched versions face significant risk of unauthorized membership inference, particularly in environments where group memberships represent sensitive organizational structures or contain personal information about users.
The recommended mitigation strategy involves restricting the messageable policy for hidden-membership groups to ensure that only authorized personnel such as staff members or actual group members can access the vulnerable code path. This approach aligns with the principle of least privilege and proper access control implementation. Additionally, organizations should consider implementing additional monitoring for unusual patterns of mention queries that may indicate attempted exploitation of this vulnerability. The patch included in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 addresses the core issue by implementing proper access controls that prevent unauthorized users from probing group membership through the mentions endpoint, thereby restoring the intended privacy controls for hidden groups within the Discourse platform.