{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33355", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.814Z", "datePublished": "2026-03-19T22:01:42.387Z", "dateUpdated": "2026-03-20T18:10:20.981Z"}, "containers": {"cna": {"title": "Discourse filters whisper posts from private-posts feed", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq"}, {"name": "https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42320603c", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42320603c"}, {"name": "https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4d59bcdc", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4d59bcdc"}, {"name": "https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd9370946d1", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd9370946d1"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:01:42.387Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-g4v5-6gfp-3hjq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T17:00:35.807294Z", "id": "CVE-2026-33355", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:10:20.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33355", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T17:00:35.807294Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:00:39.678Z"}}], "cna": {"title": "Discourse filters whisper posts from private-posts feed", "source": {"advisory": "GHSA-g4v5-6gfp-3hjq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": "= 2026.3.0-latest"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42320603c", "name": "https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42320603c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4d59bcdc", "name": "https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4d59bcdc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd9370946d1", "name": "https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd9370946d1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:01:42.387Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33355", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:10:20.981Z", "dateReserved": "2026-03-18T22:15:11.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:01:42.387Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Antes de las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2, el endpoint `/private-posts` no aplicaba el filtrado de visibilidad por tipo de publicaci\u00f3n, lo que permit\u00eda a los participantes regulares de mensajes privados ver publicaciones susurradas en temas de mensajes privados a los que ten\u00edan acceso. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-33355", "lastModified": "2026-03-24T20:41:42.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:42.320", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42320603c"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4d59bcdc"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd9370946d1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-24T21:33:05.264961+00:00", "value": {"mitigation_remediation": ["Upgrade the Discourse instance to version 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2, which contain the security fix."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the Discourse community edition. Versions lower than 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2 are affected. The patching fixes explicitly add the necessary visibility filtering. All users running earlier releases should consider them vulnerable until the fix is applied.", "description_and_impact": "Discourse, an open\u2011source discussion platform, had an issue in the implementation of its /private\u2011posts endpoint. Prior to certain patches, the endpoint did not limit its results based on post type visibility, allowing users participating in a private message thread to view whisper posts\u2014content intended only for designated participants\u2014alongside normal messages. This weakness results in unauthorized disclosure of private content, classifying it as an information\u2011disclosure vulnerability.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1\u202f% suggests a low likelihood of active exploitation. The issue is not listed in the CISA KEV catalog, implying no known large\u2011scale exploits. Attackers need only authenticated accounts with access to the private\u2011message thread and can retrieve the whisper posts simply by querying the affected endpoint. Although the exploit is straightforward for a legitimate thread participant, it does not provide broader privileges or remote code execution."}}}}, "created": "2026-03-20T08:55:23.177302+00:00", "updated": "2026-03-25T11:54:31.943069+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}