Listen to this Post
The vulnerability resides in an API endpoint that mishandles authorization checks for private topic metadata. In affected Discourse versions (prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2), a moderator user—who normally does not have permission to view admin‑only private topics—can inadvertently retrieve metadata from those topics through this endpoint. The endpoint fails to validate that the requesting moderator is explicitly granted access to the private topic before returning metadata such as , category, creation date, and participant list. This leads to unintended information disclosure where moderators can enumerate details of private topics belonging to admin users, effectively bypassing the intended access control boundaries. The flaw stems from an insufficient check in the controller layer that only verifies the user’s role (moderator) but not the topic’s access list. Attackers exploiting this need a valid moderator account, making the attack high‑privileged, but the impact is considered medium due to the sensitivity of the disclosed metadata. The patch corrects this by enforcing a proper permission check that verifies explicit membership or admin status before returning any topic metadata.
dailycve form:
Platform: Discourse
Version: <2026.3.0-latest.1
Vulnerability: Metadata disclosure
Severity: Medium
date: 2026-03-19
Prediction: Already patched
What Undercode Say:
Analytics
Identify exposed endpoints via logs grep "api/v1/topics/private-metadata" /var/log/discourse/rails.log | grep moderator Enumerate all private topic metadata accessible to a moderator curl -X GET "https://discourse.local/api/v1/topics/private-metadata" \ -H "Api-Key: MODERATOR_API_KEY" \ -H "Api-Username: moderator_user" | jq '.'
Exploit:
- Obtain a moderator account on the target Discourse instance.
- Send a GET request to the vulnerable API endpoint
/api/v1/topics/private-metadata. - Parse the JSON response to retrieve metadata of admin private topics (s, categories, creation dates, participants).
- No additional privileges are required beyond moderator role.
Protection from this CVE
- Upgrade immediately to versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.
- If upgrading is not possible, restrict access to the API endpoint via reverse proxy rules to only allow admin IPs, though this is a temporary workaround.
- Review moderator accounts and enforce principle of least privilege.
Impact
Unauthorized exposure of private topic metadata to moderators. Although the full content of topics is not disclosed, metadata can reveal sensitive information such as topic s, participants, and categories, potentially leading to further social engineering or reconnaissance attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

