{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32618", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.557Z", "datePublished": "2026-03-31T17:40:41.484Z", "dateUpdated": "2026-04-03T16:20:00.471Z"}, "containers": {"cna": {"title": "Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3"}, {"name": "https://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.3", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.2", "status": "affected"}, {"version": ">= 2026.3.0-latest, < 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:40:41.484Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "source": {"advisory": "GHSA-pc8p-w2m7-hgf3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:19:17.031019Z", "id": "CVE-2026-32618", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:20:00.471Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32618", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:19:17.031019Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:19:56.239Z"}}], "cna": {"title": "Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id", "source": {"advisory": "GHSA-pc8p-w2m7-hgf3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.3"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.2"}, {"status": "affected", "version": ">= 2026.3.0-latest, < 2026.3.0"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64", "name": "https://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T17:40:41.484Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32618", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:20:00.471Z", "dateReserved": "2026-03-12T15:29:36.557Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T17:40:41.484Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*", "matchCriteriaId": "F64DA8FA-BC32-4EB9-B508-6425684D3245", "versionEndExcluding": "2026.1.3", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*", "matchCriteriaId": "26546710-17B3-4C72-930F-3BE0AD969127", "versionEndExcluding": "2026.2.2", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*", "matchCriteriaId": "DFA536C2-E9D9-4A03-89C2-C344DE682EA1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "id": "CVE-2026-32618", "lastModified": "2026-04-09T18:30:55.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T18:16:50.370", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/81fd89e744058e509412158e5e6ac90c856ade64"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-pc8p-w2m7-hgf3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.3.0-latest,2026.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-04-09T19:28:10.489044+00:00", "value": {"mitigation_remediation": ["Upgrade to Discourse 2026.1.3, 2026.2.2, or 2026.3.0 or newer, depending on the current release; the patch commit 81fd89e744058e509412158e5e6ac90c856ade64 has been applied.", "Verify the applied patch by checking the application version or reviewing the commit history.", "If an immediate upgrade is not feasible, block or restrict the chat search API endpoint to authorized users only via firewall rules or Discourse permission settings.", "Monitor application logs for unusual chat search activity that may indicate attempts to gather membership data."], "summary": {"action": "Apply Patch", "impact": "Unauthorized disclosure of channel membership information"}, "threat_synthesis": {"affected_systems": "Affected vendors and products are the Discourse open-source discussion platform, specifically the chat module of Discourse. The impacted releases are from 2026.1.0 through 2026.1.2, from 2026.2.0 through 2026.2.1, and from 2026.3.0 through 2026.3.0-latest prior to the patch. The vulnerability has been fixed in Discourse 2026.1.3, 2026.2.2, and 2026.3.0, and only systems running the older releases remain at risk.", "description_and_impact": "Discourse versions 2026.1.0 to 2026.1.2, 2026.2.0 to 2026.2.1, and 2026.3.0 to 2026.3.0 provide a search interface that inadvertently reveals whether a user is a member of a chat channel. The vulnerability allows an unauthorised party to infer membership status without authentication, constituting a privacy breach. This is an instance of information disclosure (CWE\u2011200) and can expose sensitive community structures.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate risk, but the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA\u2019s KEV catalog, reducing the immediate threat. The likely attack vector is access to the chat search API, which can be triggered by anyone with network visibility to the application; it does not require elevated privileges. Because no persistent exploit exists, the primary concern is unintended information disclosure, but administrators should still patch promptly to prevent potential future usage or correlation attacks."}}}}, "created": "2026-03-31T19:53:41.065480+00:00", "updated": "2026-04-10T09:46:06.685991+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}