CVE-2026-33410 in Discourse
Summary
by MITRE • 03/20/2026
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` parameter was passed directly to the user resolution query without checking group or member visibility for the acting user. An authenticated chat user could craft an API request with a known private/hidden group name and receive a channel containing that group's members, leaking their identities. Second, `can_chat?` only checked group membership, not the `chat_enabled` user preference. A chat-disabled user could create or query DM channels between other users via the direct messages API, potentially exposing private `last_message` content from the serialized channel response. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-33410 affects Discourse, an open-source discussion platform, specifically targeting authorization controls within the chat direct message API. This issue manifests in two distinct but related authorization flaws that collectively undermine the platform's security posture for private communications. The vulnerability impacts versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, representing a critical flaw in access control mechanisms that could lead to unauthorized information disclosure.
The first authorization flaw occurs during the creation of direct message channels or when adding users to existing channels through the API. The system fails to validate group or member visibility permissions for the acting user when processing the target_groups parameter. This parameter is passed directly to the user resolution query without proper authorization checks, allowing authenticated chat users to craft malicious API requests that reference known private or hidden group names. When such requests are processed, the system returns channel information containing members of those private groups, effectively leaking their identities and compromising user privacy. This vulnerability aligns with CWE-284 Access Control Issues, specifically targeting insufficient authorization checks in API endpoints.
The second authorization flaw involves the `can_chat?` method which only validates group membership but fails to consider the `chat_enabled` user preference. This oversight allows users who have explicitly disabled chat functionality to still create or query direct message channels between other users through the direct messages API. The consequence of this flaw is that chat-disabled users can potentially access private `last_message` content from serialized channel responses, exposing sensitive communication data. This represents a violation of the principle of least privilege and demonstrates inadequate authorization validation across different user preference settings.
The operational impact of these vulnerabilities extends beyond simple information disclosure to potentially enable more sophisticated attacks. An attacker could systematically enumerate private groups and their members by crafting API requests, effectively mapping the user base and identifying relationships within the platform. Additionally, the ability to access last message content from chat-disabled users could reveal sensitive information that would otherwise remain private. These issues create potential vectors for social engineering attacks, targeted harassment, and unauthorized surveillance of platform users.
The security implications of this vulnerability align with several ATT&CK framework techniques including T1078 Valid Accounts for maintaining access and T1566 Phishing for initial compromise. The flaws could enable adversaries to gather intelligence about user relationships and communication patterns, potentially leading to more targeted attacks. Organizations using affected Discourse versions face significant risk of unauthorized access to private communications and user identity exposure. The patch available in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 addresses both authorization checks by implementing proper group visibility validation and ensuring that user preference settings are properly enforced during chat operations. The absence of known workarounds means that affected organizations must upgrade to patched versions to fully remediate these security issues, making timely patch management critical for maintaining platform security.