Authorization and Disclosure Vulnerabilities in Discourse Chat Plugin
CVE-2026-45085

5.3MEDIUM

Key Information:

Vendor

Discourse

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-45085?

The vulnerability affects the Discourse chat plugin, allowing authorization and disclosure breaches. Users with read-only privileges could create chat threads, and self-deleted messages could be restored by their authors after revoking access. Additionally, moderators could inadvertently access last messages from channels not relevant to flagged chats, and calendar event payloads exposed details of chat channels to viewers lacking access rights, including anonymous users. This vulnerability impacts installations that have the chat plugin enabled, particularly those utilizing the calendar feature. The issue has been addressed in newer versions, ensuring improved security and access control.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4

discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1

discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.