Authorization and Disclosure Vulnerabilities in Discourse Chat Plugin
CVE-2026-45085
What is CVE-2026-45085?
The vulnerability affects the Discourse chat plugin, allowing authorization and disclosure breaches. Users with read-only privileges could create chat threads, and self-deleted messages could be restored by their authors after revoking access. Additionally, moderators could inadvertently access last messages from channels not relevant to flagged chats, and calendar event payloads exposed details of chat channels to viewers lacking access rights, including anonymous users. This vulnerability impacts installations that have the chat plugin enabled, particularly those utilizing the calendar feature. The issue has been addressed in newer versions, ensuring improved security and access control.
Affected Version(s)
discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4
discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1
discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1