CVE Catalog

CVE-2026-44785

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile - higher than 7% of all known CVEs

Summary

There is a vulnerability in the Discourse discussion platform that allows authenticated users to access hidden parent post content by using the AI 'explain' function on a reply to that post. This issue affects versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1.

Risk Assessment

Organizations may be at risk of exposing sensitive information if users with access to the AI function can read hidden post content. This could lead to privacy breaches and data security issues.

Recommendation

It is recommended to update Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 to mitigate this vulnerability.

Original NVD description (English source)

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the AI "explain" helper only checks can_see? on the post being explained, not its reply_to_post, so any authenticated user with access to the AI helper could read the raw contents of a hidden parent post by invoking "Explain" on a reply to it. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS