CVE-2026-32618

MEDIUM4.3EPSS 0.05%

Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

發布日:2026/4/7修改日:2026/4/7

也稱為:GHSA-pc8p-w2m7-hgf3BIT-discourse-2026-32618

描述

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

受影響套件(1)

Bitnami/discourse>= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(3)

WEBhttps://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64
WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-32618