Discourse: Unauthenticated users can guess membership in private groups

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

Discourse: Unauthenticated users can guess membership in private groups

CVE-2026-33425

Summary

Unauthenticated users can determine if a private group member exists, potentially compromising group confidentiality. This affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. To mitigate this, update to a patched version or disable public access to user profiles via Admin settings.

Original title

Original description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, unauthenticated users can determine whether a specific user is a member of a private group by observing changes in directory results when using the `exclude_groups` parameter. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable public access to the user directory via Admin → Settings → hide user profiles from public.

nvd CVSS4.0 6.9

Vulnerability type

CWE-203

CWE-639 Authorization Bypass Through User-Controlled Key

CWE-862 Missing Authorization

https://github.com/discourse/discourse/security/advisories/GHSA-r6rh-xvf5-r5f2

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026