Listen to this Post
CVE-2026-45780 details an information disclosure vulnerability in Discourse, an open‑source discussion platform. The flaw resides in the `EventSerializer` component, which is responsible for rendering event data to users. Prior to the fixed versions (2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5), the serializer did not enforce proper authorization checks when handling private event invitee lists. As a result, any user who could view a topic—even without explicit permission to see the private invitee list—could inadvertently access sensitive information. This exposed data includes invited group names, sample invitees (e.g., a few representative usernames), and attendance statistics (such as the number of accepted or pending invitations). The root cause is an oversight in the serialization logic: the code fetches and includes these details without verifying that the current user has the required `view_invitees` capability on the event. An attacker only needs to be a regular topic viewer; no special privileges are required beyond that. The vulnerability is particularly concerning in community forums where events may contain sensitive participant information. The issue was addressed by adding an authorization gate in the serializer, ensuring that the invitee data is only appended to the response when the user is properly end. The patches were backported to all supported release lines, and administrators are strongly advised to upgrade immediately. The following sections provide a structured overview, technical analytics, exploitation vectors, protection measures, and the overall impact of this flaw.
DailyCVE Form:
Platform: Discourse
Version: < 2026.6.0, 2026.5.1, 2026.4.2, 2026.1.5
Vulnerability: Information Disclosure (private event invitees)
Severity: Medium (CVSS 4.3)
Date: 2026-07-09
Prediction: Already patched in 2026.6.0/2026.5.1/2026.4.2/2026.1.5
What Undercode Say:
Check current Discourse version
rake about | grep version
List all events and their invitee counts (requires topic view)
curl -s https://discourse.example.com/events.json | jq '.[] | {id, invitee_count}'
Simulate the vulnerable serializer output (pre‑patch)
curl -s https://discourse.example.com/t/123/events.json | jq '.event.invitees'
Verify if the fix is applied by checking the serializer authorization
grep -r "authorize! :view_invitees" app/serializers/event_serializer.rb
Exploit:
A malicious user with only topic‑viewing privileges can craft a request to the event endpoint (e.g., /t/{topic_id}/events.json) and parse the JSON response. The invited_groups, sample_invitees, and `attendance_stats` fields are returned without any additional permission checks, leaking the private list. No authentication bypass is needed; the attacker simply uses their valid session cookie.
Protection:
Upgrade to Discourse version 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5 immediately. If an immediate upgrade is not possible, apply the backported patch that adds `authorize! :view_invitees` inside EventSerializerinclude_invitees?. As a temporary workaround, restrict topic visibility to trusted groups or disable event invitee display via site settings until the patch is deployed.
Impact:
An attacker can enumerate group memberships, identify invited participants, and gauge event attendance trends—all without proper authorization. This compromises the confidentiality of private events, potentially revealing sensitive business or community planning details. Although the CVSS score is Medium (4.3), the real‑world impact depends on the sensitivity of the disclosed information; in highly regulated environments, this could constitute a compliance violation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

