{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33408", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.171Z", "datePublished": "2026-03-19T22:35:14.367Z", "dateUpdated": "2026-03-20T20:08:36.220Z"}, "containers": {"cna": {"title": "Discourse has Improper Authorization in \"Post Edits\" Report For Moderators", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c"}, {"name": "https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c"}, {"name": "https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1"}, {"name": "https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:35:14.367Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-wf9r-386h-g29c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T20:08:28.178776Z", "id": "CVE-2026-33408", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:08:36.220Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33408", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T20:08:28.178776Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:08:32.901Z"}}], "cna": {"title": "Discourse has Improper Authorization in \"Post Edits\" Report For Moderators", "source": {"advisory": "GHSA-wf9r-386h-g29c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": "= 2026.3.0-latest"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c", "name": "https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1", "name": "https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800", "name": "https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:35:14.367Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33408", "state": "PUBLISHED", "dateUpdated": "2026-03-20T20:08:36.220Z", "dateReserved": "2026-03-19T17:02:34.171Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:35:14.367Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Antes de las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2, los moderadores pod\u00edan ver los primeros 40 caracteres de las ediciones de publicaciones en mensajes privados y categor\u00edas privadas. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-33408", "lastModified": "2026-03-24T20:55:00.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-19T23:16:44.887", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-19T23:21:03.061218+00:00", "value": {"mitigation_remediation": ["Upgrade discourse to version 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2 (or newer) where the issue is fixed."], "summary": {"action": "Immediate Patch", "impact": "Confidentiality Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is discourse:discourse. All releases prior to version 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2 are vulnerable. Versions 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2 contain a patch that removes the breadcrumb exposure and enforce proper authorization on edit previews.", "description_and_impact": "Discourse, an open\u2011source discussion platform, had a flaw in which moderators could view the first 40 characters of post edits when those edits were sent via private messages or posted in private categories. This improper authorization (CWE\u2011862) allows an authorized moderator to access edit history data that is normally hidden from other users, potentially exposing sensitive content. The vulnerability does not provide code execution or denial of service but reveals private excerpt information which could be used to infer the nature of the original post or the editing process.", "risk_and_exploitability": "The CVSS score is 2.2, indicating low severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be a moderator or to gain moderator privileges, limiting the attack surface. The risk to non\u2011moderator users is negligible, but privacy concerns exist for those whose posts are edited. Prompt patching mitigates the risk entirely."}}}}, "created": "2026-03-20T08:54:43.726335+00:00", "updated": "2026-03-20T10:44:11.635898+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}