Information Disclosure Vulnerability in Discourse by Discourse
CVE-2026-47264
What is CVE-2026-47264?
An information disclosure vulnerability exists in the Discourse discussion platform. Versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 have flawed handling of tag group visibility. When the SiteSetting.tags_listed_by_group is enabled, this flaw allows unprivileged and anonymous users to access restricted tag group names by making requests to the TagsController#info endpoint. As this endpoint does not require user authentication, it poses significant privacy risks. The vulnerability has been addressed in subsequent releases including 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Affected Version(s)
discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4
discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1
discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1