FKIE_CVE-2026-24742

Vulnerability from fkie_nvd - Published: 2026-01-28 21:16 - Updated: 2026-01-30 20:31
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access.
References
security-advisories@github.comhttps://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6Third Party Advisory
Impacted products
Vendor Product Version
discourse discourse *
discourse discourse *
discourse discourse 2025.12.0
discourse discourse 2026.1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*",
              "matchCriteriaId": "FDBF21E2-1191-4020-A17A-0702DE4E6451",
              "versionEndExcluding": "3.5.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*",
              "matchCriteriaId": "539B5B85-44F0-408E-B994-08BB20EA9C26",
              "versionEndExcluding": "2025.11.2",
              "versionStartIncluding": "2025.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:discourse:discourse:2025.12.0:*:*:*:stable:*:*:*",
              "matchCriteriaId": "CCBF47A8-0D3F-4174-8084-CD3517BF272A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:discourse:discourse:2026.1.0:*:*:*:stable:*:*:*",
              "matchCriteriaId": "F6CF5F98-F08F-4B28-BBE2-8296760A547E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access."
    },
    {
      "lang": "es",
      "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. En versiones anteriores a 3.5.4, 2025.11.2, 2025.12.1 y 2026.1.0, los moderadores no administradores pueden ver informaci\u00f3n sensible en los registros de acciones del personal que deber\u00eda estar restringida solo a los administradores. La informaci\u00f3n expuesta incluye URL y secretos de carga \u00fatil de webhook, detalles de claves API, cambios en la configuraci\u00f3n del sitio, contenido de mensajes privados, nombres y estructuras de categor\u00edas restringidas, y t\u00edtulos de canales de chat privados. Esto permite a los moderadores eludir los controles de acceso previstos y extraer datos confidenciales al monitorear los registros de acciones del personal. Con secretos de webhook filtrados, un atacante podr\u00eda potencialmente falsificar eventos de webhook a servicios integrados. Este problema est\u00e1 parcheado en las versiones 3.5.4, 2025.11.2, 2025.12.1 y 2026.1.0. Como soluci\u00f3n alternativa, los administradores del sitio deben revisar y limitar los nombramientos de moderadores a usuarios de plena confianza. No existe una soluci\u00f3n alternativa basada en la configuraci\u00f3n para evitar este acceso."
    }
  ],
  "id": "CVE-2026-24742",
  "lastModified": "2026-01-30T20:31:42.753",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-28T21:16:11.913",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.