CVE-2026-32618

MEDIUM4.3EPSS 0.05%

Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

Published: 4/7/2026Modified: 4/7/2026

Also known as:GHSA-pc8p-w2m7-hgf3BIT-discourse-2026-32618

Description

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected packages (1)

Bitnami/discourse>= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

WEBhttps://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64
WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-32618