Unauthorized Access to Chat Messages in Discourse by Discourse
CVE-2026-44786

7.5HIGH

Key Information:

Vendor

Discourse

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-44786?

Discourse, an open-source discussion platform, contains a vulnerability that allows unauthorized subscribers to receive chat message payloads in real-time from public category channels. The flaw exists in versions ranging from 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, where chat events are transmitted via MessageBus without proper permission scoping. This oversight facilitates potential exposure of sensitive chat communications to users who do not have chat access, emphasizing the need for updates to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1, where this issue has been patched.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4

discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1

discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.