{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33428", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T18:45:22.434Z", "datePublished": "2026-03-20T23:21:20.877Z", "dateUpdated": "2026-03-25T13:42:54.320Z"}, "containers": {"cna": {"title": "Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-frcw-p4mc-x6mp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-frcw-p4mc-x6mp"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": "= 2026.3.0-latest", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T23:21:20.877Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-frcw-p4mc-x6mp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:42:46.677298Z", "id": "CVE-2026-33428", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:42:54.320Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33428", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:42:46.677298Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:42:50.992Z"}}], "cna": {"title": "Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership", "source": {"advisory": "GHSA-frcw-p4mc-x6mp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": "= 2026.3.0-latest"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-frcw-p4mc-x6mp", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-frcw-p4mc-x6mp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T23:21:20.877Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33428", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:42:54.320Z", "dateReserved": "2026-03-19T18:45:22.434Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T23:21:20.877Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "id": "CVE-2026-33428", "lastModified": "2026-03-24T19:41:41.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-21T00:16:27.477", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-frcw-p4mc-x6mp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-24T21:31:12.052943+00:00", "value": {"mitigation_remediation": ["Update to Discourse 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2 to apply the patch."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "All Discourse installations running versions earlier than 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2 are affected. The patched releases\u20142026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2\u2014contain a fix that tightens the permission model and removes the vulnerability.", "description_and_impact": "In the open\u2011source Discourse discussion platform, an excessively permissive authorization check on the deleted\u2011posts index endpoint allows a non\u2011staff user with certain elevated group memberships to view any user's deleted posts. The flaw, classified under CWE\u2011863, results in the disclosure of content that administrators intended to keep private, compromising the confidentiality of deleted discussions.", "risk_and_exploitability": "The CVSS score of 4.9 denotes moderate severity, while the EPSS score of less than 1\u202f% suggests that widespread exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The attacker can exploit the flaw by sending a request to the /posts/deleted endpoint; this attack vector is inferred from the description, as the vulnerability is described as an \u201coverly broad authorization check.\u201d The impact is primarily the unauthorized disclosure of deleted content, with risk level depending on the sensitivity of the data that has been removed."}}}}, "created": "2026-03-23T09:51:44.240156+00:00", "updated": "2026-03-25T14:33:43.850524+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}