CVE-2026-26265 (GCVE-0-2026-26265)
Vulnerability from cvelistv5 – Published: 2026-02-26 15:10 – Updated: 2026-02-27 16:17
VLAI?
Title
Discourse has IDOR vulnerability in the directory items endpoint
Summary
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_field_ids` parameter in `DirectoryItemsController#index` accepts arbitrary user field IDs without authorization checks, bypassing the visibility restrictions (`show_on_profile` / `show_on_user_card`) that are enforced elsewhere (e.g., `UserCardSerializer` via `Guardian#allowed_user_field_ids`). An attacker can request `GET /directory_items.json?period=all&user_field_ids=<id>` with any private field ID and receive that field's value for every user in the directory response. This enables bulk exfiltration of private user data such as phone numbers, addresses, or other sensitive custom fields that admins have explicitly configured as non-public. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As a workaround, site administrators can remove sensitive data from private user fields, or disable the user directory via the `enable_user_directory` site setting.
Severity ?
7.5 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26265",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T16:16:56.830172Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T16:17:05.469Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.12.2"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.1"
},
{
"status": "affected",
"version": "\u003e= 2026.2.0-latest, \u003c 2026.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_field_ids` parameter in `DirectoryItemsController#index` accepts arbitrary user field IDs without authorization checks, bypassing the visibility restrictions (`show_on_profile` / `show_on_user_card`) that are enforced elsewhere (e.g., `UserCardSerializer` via `Guardian#allowed_user_field_ids`). An attacker can request `GET /directory_items.json?period=all\u0026user_field_ids=\u003cid\u003e` with any private field ID and receive that field\u0027s value for every user in the directory response. This enables bulk exfiltration of private user data such as phone numbers, addresses, or other sensitive custom fields that admins have explicitly configured as non-public. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As a workaround, site administrators can remove sensitive data from private user fields, or disable the user directory via the `enable_user_directory` site setting."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:10:25.929Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-crxf-p6jm-vpgw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-crxf-p6jm-vpgw"
}
],
"source": {
"advisory": "GHSA-crxf-p6jm-vpgw",
"discovery": "UNKNOWN"
},
"title": "Discourse has IDOR vulnerability in the directory items endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26265",
"datePublished": "2026-02-26T15:10:25.929Z",
"dateReserved": "2026-02-12T17:10:53.412Z",
"dateUpdated": "2026-02-27T16:17:05.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-26265",
"date": "2026-04-22",
"epss": "0.00048",
"percentile": "0.14749"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-26265\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-26T16:24:07.543\",\"lastModified\":\"2026-03-02T21:37:36.747\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_field_ids` parameter in `DirectoryItemsController#index` accepts arbitrary user field IDs without authorization checks, bypassing the visibility restrictions (`show_on_profile` / `show_on_user_card`) that are enforced elsewhere (e.g., `UserCardSerializer` via `Guardian#allowed_user_field_ids`). An attacker can request `GET /directory_items.json?period=all\u0026user_field_ids=\u003cid\u003e` with any private field ID and receive that field\u0027s value for every user in the directory response. This enables bulk exfiltration of private user data such as phone numbers, addresses, or other sensitive custom fields that admins have explicitly configured as non-public. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As a workaround, site administrators can remove sensitive data from private user fields, or disable the user directory via the `enable_user_directory` site setting.\"},{\"lang\":\"es\",\"value\":\"Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Antes de las versiones 2025.12.2, 2026.1.1 y 2026.2.0, una vulnerabilidad IDOR en el endpoint de elementos del directorio permite a cualquier usuario, incluidos los usuarios an\u00f3nimos, recuperar valores de campos de usuario privados para todos los usuarios en el directorio. El par\u00e1metro \u0027user_field_ids\u0027 en \u0027DirectoryItemsController#index\u0027 acepta IDs de campos de usuario arbitrarios sin comprobaciones de autorizaci\u00f3n, eludiendo las restricciones de visibilidad (\u0027show_on_profile\u0027 / \u0027show_on_user_card\u0027) que se aplican en otros lugares (por ejemplo, \u0027UserCardSerializer\u0027 a trav\u00e9s de \u0027Guardian#allowed_user_field_ids\u0027). Un atacante puede solicitar \u0027GET /directory_items.json?period=all\u0026amp;user_field_ids=\u0027 con cualquier ID de campo privado y recibir el valor de ese campo para cada usuario en la respuesta del directorio. Esto permite la exfiltraci\u00f3n masiva de datos de usuario privados como n\u00fameros de tel\u00e9fono, direcciones u otros campos personalizados sensibles que los administradores han configurado expl\u00edcitamente como no p\u00fablicos. El problema est\u00e1 parcheado en las versiones 2025.12.2, 2026.1.1 y 2026.2.0 filtrando \u0027user_field_ids\u0027 contra \u0027UserField.public_fields\u0027 para usuarios que no son personal antes de construir el mapa de campos personalizados. Como soluci\u00f3n alternativa, los administradores del sitio pueden eliminar datos sensibles de los campos de usuario privados, o deshabilitar el directorio de usuarios a trav\u00e9s de la configuraci\u00f3n del sitio \u0027enable_user_directory\u0027.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2025.12.0\",\"matchCriteriaId\":\"6DB837D7-28C8-4E0F-B55F-AAAA36F32035\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2026.1.0\",\"versionEndExcluding\":\"2026.1.1\",\"matchCriteriaId\":\"1CAFCC9D-53D7-4017-85A5-EE6CA5A6A11C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*\",\"matchCriteriaId\":\"BB002FDC-BC71-4C46-8AAF-A34EC717E0E7\"}]}]}],\"references\":[{\"url\":\"https://github.com/discourse/discourse/security/advisories/GHSA-crxf-p6jm-vpgw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26265\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-27T16:16:56.830172Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-27T16:17:00.719Z\"}}], \"cna\": {\"title\": \"Discourse has IDOR vulnerability in the directory items endpoint\", \"source\": {\"advisory\": \"GHSA-crxf-p6jm-vpgw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"discourse\", \"product\": \"discourse\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2025.12.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2026.1.0-latest, \u003c 2026.1.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2026.2.0-latest, \u003c 2026.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/discourse/discourse/security/advisories/GHSA-crxf-p6jm-vpgw\", \"name\": \"https://github.com/discourse/discourse/security/advisories/GHSA-crxf-p6jm-vpgw\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_field_ids` parameter in `DirectoryItemsController#index` accepts arbitrary user field IDs without authorization checks, bypassing the visibility restrictions (`show_on_profile` / `show_on_user_card`) that are enforced elsewhere (e.g., `UserCardSerializer` via `Guardian#allowed_user_field_ids`). An attacker can request `GET /directory_items.json?period=all\u0026user_field_ids=\u003cid\u003e` with any private field ID and receive that field\u0027s value for every user in the directory response. This enables bulk exfiltration of private user data such as phone numbers, addresses, or other sensitive custom fields that admins have explicitly configured as non-public. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As a workaround, site administrators can remove sensitive data from private user fields, or disable the user directory via the `enable_user_directory` site setting.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-26T15:10:25.929Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-26265\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-27T16:17:05.469Z\", \"dateReserved\": \"2026-02-12T17:10:53.412Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-26T15:10:25.929Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…