Exposure of User Data on Discourse Open Source Discussion Platform
CVE-2026-34947

2.7LOW

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-34947?

Discourse, an open-source discussion platform, is affected by a vulnerability that allows staged user custom fields and usernames to be exposed on public invite pages without the need for email verification. This poses a threat to user privacy and data security, as sensitive information is accessible to unauthorized users. The issue has been addressed and resolved in versions 2026.1.3, 2026.2.2, and 2026.3.0, emphasizing the importance of upgrading to these patched versions for enhanced security.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.3 < 2026.1.0-latest, 2026.1.3

discourse >= 2026.2.0-latest, < 2026.2.2 < 2026.2.0-latest, 2026.2.2

discourse >= 2026.3.0-latest, < 2026.3.0 < 2026.3.0-latest, 2026.3.0

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34947 Data

JSON