CVE-2026-33355

Published: Mar 19, 2026 Last Modified: Mar 19, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,5

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: none

Availability: none

Description

AI Translation Available

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `/private-posts` endpoint did not apply post-type visibility filtering, allowing regular PM participants to see whisper posts in PM topics they had access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

200

Exposure of Sensitive Information to an Unauthorized Actor

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality

Potential Impacts:

Read Application Data

Applicable Platforms

Technologies: Mobile, Not Technology-Specific, Web Based

Likelihood of Exploit: High

View CWE Details

https://github.com/discourse/discourse/commit/84e5865a27971…

https://github.com/discourse/discourse/commit/84e5865a279716c6866e8c0648d1d8b42…

https://github.com/discourse/discourse/commit/d25b8ee9ee182…

https://github.com/discourse/discourse/commit/d25b8ee9ee182dbb34e92b34e39878ce4…

https://github.com/discourse/discourse/commit/d2f317271ad76…

https://github.com/discourse/discourse/commit/d2f317271ad7638f1e2791905472ebd93…

https://github.com/discourse/discourse/security/advisories/…

https://github.com/discourse/discourse/security/advisories/GHSA-g4v5-6gfp-3hjq