CVE-2026-33408
LOW
2,2
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: high
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: none
Availability: none
Description
AI Translation Available
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
862
Missing Authorization
IncompleteCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Access Control
Availability
Potential Impacts:
Read Application Data
Read Files Or Directories
Modify Application Data
Modify Files Or Directories
Gain Privileges Or Assume Identity
Bypass Protection Mechanism
Dos: Crash, Exit, Or Restart
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Dos: Resource Consumption (Other)
Applicable Platforms
Technologies:
AI/ML, Database Server, Not Technology-Specific, Web Server
https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091ab…
https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388…
https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032…
https://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c