Information Disclosure Vulnerability in Discourse by Discourse
CVE-2026-47264

5.3MEDIUM

Key Information:

Vendor

Discourse

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47264?

An information disclosure vulnerability exists in the Discourse discussion platform. Versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 have flawed handling of tag group visibility. When the SiteSetting.tags_listed_by_group is enabled, this flaw allows unprivileged and anonymous users to access restricted tag group names by making requests to the TagsController#info endpoint. As this endpoint does not require user authentication, it poses significant privacy risks. The vulnerability has been addressed in subsequent releases including 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.4 < 2026.1.0-latest, 2026.1.4

discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1

discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.