{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27935", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.689Z", "datePublished": "2026-03-19T21:33:38.459Z", "dateUpdated": "2026-03-20T16:28:35.052Z"}, "containers": {"cna": {"title": "Discourse leaks private topic metadata to non-authorized users", "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76"}, {"name": "https://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc"}, {"name": "https://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897"}, {"name": "https://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:33:38.459Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-wxqr-r4wv-cw76", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:28:24.162633Z", "id": "CVE-2026-27935", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:28:35.052Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Discourse leaks private topic metadata to non-authorized users", "source": {"advisory": "GHSA-wxqr-r4wv-cw76", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": "= 2026.3.0-latest"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc", "name": "https://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897", "name": "https://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab", "name": "https://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:33:38.459Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27935", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T16:28:24.162633Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-20T16:28:28.586Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-27935", "state": "PUBLISHED", "dateUpdated": "2026-03-19T21:33:38.459Z", "dateReserved": "2026-02-25T03:11:36.689Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T21:33:38.459Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Las versiones anteriores a 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 tienen una vulnerabilidad en un endpoint de API que divulga metadatos de temas privados de usuarios administradores a usuarios moderadores, incluso si los moderadores no tienen acceso a los temas privados. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-27935", "lastModified": "2026-03-23T20:18:31.873", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:30.997", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-24T04:36:59.466208+00:00", "value": {"mitigation_remediation": ["Upgrade Discourse to a patched release such as 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure of Private Topic Metadata"}, "threat_synthesis": {"affected_systems": "Discourse releases before 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2 are affected. Upgrading to any of those patched versions removes the vulnerability.", "description_and_impact": "An API endpoint in the open\u2011source discussion platform exposes private topic metadata belonging to administrators. The flaw allows moderators, who normally lack permission to view those private topics, to obtain sensitive metadata. This represents a privacy violation, classified as CWE\u2011201, without enabling further exploit such as code execution or system compromise.", "risk_and_exploitability": "The CVSS base score of 6.9 indicates a moderate severity, while the EPSS score below 1% suggests a low probability of immediate exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is authenticated: a legitimate moderator can invoke the exposed API and receive unauthorized private topic metadata without needing higher privileges."}}}}, "created": "2026-03-20T08:55:33.653273+00:00", "updated": "2026-03-25T11:54:42.787135+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}