CVE-2026-33425
Published: Mar 20, 2026
Modified: Mar 23, 2026
Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, unauthenticated users can determine whether a specific user is a member of a private group by observing changes in directory results when using the `exclude_groups` parameter. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable public access to the user directory via Admin → Settings → hide user profiles from public.
| Vendor | Product | Versions |
|---|---|---|
discourse | discourse | affected >= 2026.1.0-latest, < 2026.1.2affected >= 2026.2.0-latest, < 2026.2.1affected = 2026.3.0-latest |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now