CVE-2026-33355 in Discourse
Summary
by MITRE • 03/20/2026
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-33355 affects Discourse, a popular open-source discussion platform that serves as a collaborative forum for communities and organizations. This security flaw resides within the platform's access control mechanisms, specifically targeting the `/private-posts` endpoint that handles private messaging functionality. The issue represents a critical authorization bypass that undermines the fundamental security model of private communications within the platform. The vulnerability impacts all versions prior to the patched releases of 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, indicating a significant window of exposure for affected deployments.
The technical flaw stems from insufficient post-type visibility filtering within the `/private-posts` endpoint implementation. In normal operation, whisper posts in private messaging topics should only be visible to specific participants designated by the topic creator, typically including the sender and intended recipients. However, due to the missing visibility checks, regular participants in private message topics could access and view whisper posts that were explicitly intended for restricted audiences. This represents a direct violation of the principle of least privilege and demonstrates a failure in the platform's access control enforcement mechanisms. The flaw operates at the application layer and requires no special privileges to exploit, making it particularly concerning for environments where sensitive communications are expected to remain confidential.
The operational impact of this vulnerability extends beyond simple information disclosure, as it fundamentally compromises the integrity of private messaging within the Discourse platform. Regular users who should only have access to standard messages within private topics can now access confidential whisper posts, potentially exposing sensitive communications, personal information, or organizational data that was intended for specific recipients only. This breach affects the trust model of the platform and could lead to reputational damage for organizations relying on Discourse for secure communications. The vulnerability particularly impacts scenarios where private messaging is used for sensitive discussions, personnel matters, or confidential business communications, as it undermines the privacy guarantees that users expect from such platforms.
The security implications align with CWE-639, which describes "Authorization Bypass Through User-Controlled Key" and represents a failure in access control enforcement. From an adversary perspective, this vulnerability maps to ATT&CK technique T1078.004, "Valid Accounts: Cloud Accounts," as it allows unauthorized access to restricted content through legitimate user accounts. The lack of available workarounds means that organizations cannot implement temporary mitigations while awaiting patches, creating an urgent need for immediate version upgrades. The vulnerability demonstrates poor input validation and access control implementation, where the system fails to properly enforce post-type restrictions based on user roles and permissions. Organizations should immediately implement the patched versions and conduct thorough security assessments of their Discourse deployments to ensure no unauthorized access has occurred, as this type of vulnerability can enable further attacks through the exposure of sensitive communication patterns and user relationships within the platform.