CVE-2026-33424

Published: Mar 21, 2026Modified: Mar 24, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Affected (3)

Products: Discourse: Discourse

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Discourse Discourse	From 2026.1.0 to 2026.1.2
Discourse Discourse	From 2026.2.0 to 2026.2.1
Discourse Discourse	Version 2026.3.0

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (1)

https://github.com/discourse/discourse/security/advisories/GHSA-hgcp-p7hq-cwxw

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.