CVE-2026-32099 in Discourse
Summary
by MITRE • 03/20/2026
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, when a user has `hide_profile` enabled, their bio, location, and website were still exposed through the user onebox preview. An authenticated user could request a onebox for a hidden user's profile URL and receive their hidden profile fields (bio, location, website) in the response. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
This vulnerability affects Discourse, an open-source discussion platform, and represents a critical privacy breach in user data protection mechanisms. The issue stems from improper access control implementation where users who have explicitly enabled the `hide_profile` setting still have their personal information exposed through the onebox preview feature. This flaw exists in versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, creating a scenario where authenticated users can bypass intended privacy controls through targeted API requests.
The technical implementation flaw occurs within the onebox preview functionality that processes user profile URLs and returns structured data containing sensitive profile information. When a user has `hide_profile` enabled, their bio, location, and website fields should be excluded from public-facing responses, but the onebox feature fails to properly check user privacy settings before including this data in its response payload. This represents a classic access control vulnerability where the system does not properly enforce authorization boundaries between different user privacy states.
The operational impact of this vulnerability extends beyond simple privacy concerns to potentially expose sensitive personal information that users intended to keep private. Attackers could systematically harvest bio details, location data, and website information from users who have disabled profile visibility, creating detailed profiles of individuals without their knowledge or consent. This breach undermines the fundamental privacy controls that users rely on when configuring their account settings and could enable social engineering attacks, stalking, or other malicious activities targeting specific individuals within the platform's community.
From a cybersecurity perspective, this vulnerability aligns with CWE-639 Access Control Bypass, where the system fails to properly verify user permissions before granting access to protected resources. The issue also maps to ATT&CK technique T1213 Data from Information Repositories, as it involves unauthorized access to user data stored within the platform's repository. The vulnerability demonstrates poor input validation and insufficient authorization checks in API endpoints that handle user profile data, particularly in the onebox preview functionality that processes external requests.
The patch implemented in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 addresses this by ensuring that when `hide_profile` is enabled, all sensitive profile information is properly excluded from onebox responses regardless of the request type. Organizations using Discourse should immediately upgrade to the patched versions to prevent unauthorized data exposure. The lack of known workarounds means that administrators cannot implement temporary fixes and must rely entirely on the official patch releases to resolve this security gap. This vulnerability highlights the importance of comprehensive testing of privacy controls and the need for thorough validation of access control mechanisms in web applications that handle user personal information.