Unauthorized Access to Chat Messages in Discourse by Discourse
CVE-2026-44786
What is CVE-2026-44786?
Discourse, an open-source discussion platform, contains a vulnerability that allows unauthorized subscribers to receive chat message payloads in real-time from public category channels. The flaw exists in versions ranging from 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, where chat events are transmitted via MessageBus without proper permission scoping. This oversight facilitates potential exposure of sensitive chat communications to users who do not have chat access, emphasizing the need for updates to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1, where this issue has been patched.
Affected Version(s)
discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4
discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1
discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1