{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32618", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.557Z", "datePublished": "2026-03-31T17:40:41.484Z", "dateUpdated": "2026-03-31T17:40:41.484Z"}, "containers": {"cna": {"title": "Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3"}, {"name": "https://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.3", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.2", "status": "affected"}, {"version": ">= 2026.3.0-latest, < 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:40:41.484Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "source": {"advisory": "GHSA-pc8p-w2m7-hgf3", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "id": "CVE-2026-32618", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T18:16:50.370", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.3.0-latest,2026.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-31T19:37:42.822206+00:00", "value": {"mitigation_remediation": ["Apply the latest Discourse patch (\u22652026.1.3, 2026.2.2, or 2026.3.0).", "Confirm your instance is running a patched version."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is the open-source Discourse discussion platform. Versions before 2026.1.3, before 2026.2.2, and before 2026.3.0 are vulnerable. The official fix is included in releases 2026.1.3, 2026.2.2, and 2026.3.0 and newer, so updating to any of those versions restores proper authorization checks.", "description_and_impact": "Discourse allows users to search chat participants via an endpoint that accepts a channel identifier. The 'excluded_memberships_channel_id' parameter is intended to prevent fetching members of a specified channel. However, in certain versions (2026.1.0 to 2026.1.2, 2026.2.0 to 2026.2.1, and 2026.3.0 prior) the filter is ignored, enabling an unauthenticated request to reveal membership statuses. Because it discloses whether a user belongs to a channel, the vulnerability falls under information disclosure (CWE-200) and allows attackers to infer private grouping data without proper authorization.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate risk. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The vulnerability can be exploited by sending a request to the chat search endpoint from outside the system, with no authentication required. Because the flaw is public and the exploit path is simple, the likelihood of exploitation remains medium, especially for platforms that have not yet applied the patch."}}}}, "created": "2026-03-31T19:53:41.065480+00:00", "updated": "2026-03-31T20:37:37.304813+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}