CVE-2026-34947

EPSS 0.05%

Discourse: Staged user custom fields are exposed on public invite pages

Published: 4/8/2026Modified: 4/8/2026

Also known as:BIT-discourse-2026-34947

Description

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3,and 2026.2.0 to before 2026.2.2, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been patched in versions 2026.1.3 and 2026.2.2.

Affected packages (1)

Bitnami/discourse>= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References (2)

WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-4rcw-wq9x-54qw
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-34947