Discourse: Private Messages Can Be Accessed by Unauthorized Users

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.9

Discourse: Private Messages Can Be Accessed by Unauthorized Users

CVE-2026-33424

Summary

The Discourse discussion platform had a security issue that allowed an attacker to access private messages after being removed from them. This was fixed in recent versions. If you're using an affected version, update to the latest patch to prevent unauthorized access.

Original title

Original description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

nvd CVSS3.1 5.9

Vulnerability type

CWE-863 Incorrect Authorization

https://github.com/discourse/discourse/security/advisories/GHSA-hgcp-p7hq-cwxw

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026