Discourse Vulnerability: Channel Membership Inference Flaw Patched
CVE Notify is highlighting a security vulnerability impacting the popular open-source discussion platform, Discourse. The flaw, identified as CVE-2026-32618, allows for potential channel membership inference through unauthorized chat user searches. This means an attacker could potentially discover who is part of specific chat channels without proper authorization.
The vulnerability affects specific version ranges: from 2026.1.0-latest up to but not including 2026.1.3, from 2026.2.0-latest up to but not including 2026.2.2, and from 2026.3.0-latest up to but not including 2026.3.0. Fortunately, the Discourse team has already pushed out patches for these versions, releasing fixes in versions 2026.1.3, 2026.2.2, and 2026.3.0.
What This Means For You
- Immediately review and update all Discourse instances to the patched versions (2026.1.3, 2026.2.2, or 2026.3.0) to prevent unauthorized access to chat channel membership information.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-32618 | Information Disclosure | Software: Discourse, Versions: 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, 2026.3.0-latest to before 2026.3.0. Vulnerability: Possible channel membership inference from chat user search without authorization. |
๐
Get the full picture on this threat
Search by organization or CVE, get structured IOCs for your SIEM, and set watchlist alerts โ delivered to your Telegram in seconds.
Try Intel Bot โ