CVE-2026-27935

EPSS 0.05%

Discourse leaks private topic metadata to non-authorized users

發布日:2026/3/27修改日:2026/4/2

描述

Discourse is an open-source discussion platform. Versions prior to 2026.3.0, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

受影響套件(1)

Bitnami/discourse>= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.4.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

參考連結(5)

WEBhttps://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc
WEBhttps://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897
WEBhttps://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab
WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-27935