Discourse Vulnerability: Draft Topic Titles Exposed
CVE Notify has flagged a significant vulnerability affecting the popular open-source discussion platform, Discourse. The issue, identified as CVE-2026-32951, allows an authenticated user to snag titles of shared draft topics. This is achieved by sending a specially crafted inline onebox request, manipulating the category_id parameter to target the shared drafts category. Imagine an attacker poking around and seeing the titles of work-in-progress discussions โ not ideal for any community or organization relying on Discourse for collaboration.
According to CVE Notify, this bug impacted specific version ranges: from 2026.1.0 up to, but not including, 2026.1.3; from 2026.2.0 up to, but not including, 2026.2.2; and from 2026.3.0 up to, but not including, 2026.3.0. Fortunately, the Discourse team has already pushed out patches to address this. Versions 2026.1.3, 2026.2.2, and 2026.3.0 now include the fix, closing the door on this particular information disclosure vector.
What This Means For You
- Security teams managing Discourse instances should immediately verify their patch levels and upgrade to versions 2026.1.3, 2026.2.2, or 2026.3.0 to mitigate CVE-2026-32951, preventing unauthorized access to draft topic titles.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-32951 | Information Disclosure | Software: Discourse, Versions: 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, 2026.3.0-latest to before 2026.3.0. Vulnerable component: inline onebox request with a category_id parameter matching the shared drafts category. |