Discourse Vulnerability Leaks Staff Read Receipts
CVE Notify is flagging a vulnerability, CVE-2026-32620, impacting the popular open-source discussion platform, Discourse. The bug, present in specific versions of Discourse (2026.1.0 through 2026.1.3, 2026.2.0 through 2026.2.2, and 2026.3.0 through 2026.3.0), allowed non-staff users to view read receipt metadata for posts intended only for staff.
While the actual content of these restricted posts remained secure, the vulnerability exposed who read them and when. This metadata, though not a full data breach, could still offer insights into internal communication patterns or sensitive discussions. CVE Notify confirms this issue has been addressed in patched versions: 2026.1.3, 2026.2.2, and 2026.3.0.
What This Means For You
- Organizations running Discourse should immediately audit their deployment for the affected versions and prioritize patching to prevent potential exposure of internal communication metadata.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-32620 | Information Disclosure | Software: Discourse, Versions: 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, 2026.3.0-latest to before 2026.3.0. Vulnerability: Non-staff users can access read receipt information for staff-only posts. |
| CVE-2026-32620 | Information Disclosure | Software: Discourse, Versions: 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, 2026.3.0-latest to before 2026.3.0. Vulnerability: Exposure of metadata about who read staff-only posts and when. |
๐
Get the full picture on this threat
Search by organization or CVE, get structured IOCs for your SIEM, and set watchlist alerts โ delivered to your Telegram in seconds.
Try Intel Bot โ