Reactions leak for secure category topics and private messages
Description
Discourse-reactions plugin before 0.2 exposes user reactions on secure topics and private messages, allowing unauthorized visibility.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Discourse-reactions plugin before 0.2 exposes user reactions on secure topics and private messages, allowing unauthorized visibility.
Vulnerability
The Discourse-reactions plugin for Discourse allows users to add reactions to posts. In versions prior to 0.2, the reactions_given endpoint did not properly filter reactions based on topic visibility. This meant that reactions given by a user to posts in secure categories or private messages were returned to any authenticated user querying that endpoint. The issue is fixed in version 0.2 of the plugin [1][2].
Exploitation
An attacker with a valid Discourse account can exploit this vulnerability by calling the reactions_given endpoint for any target user. The endpoint returns a list of reactions along with the associated post and topic, without checking whether the attacker has permission to view those topics. No additional privileges or user interaction beyond being logged in are required [1][2].
Impact
Successful exploitation results in information disclosure: the attacker learns which posts the target user reacted to, including posts in secure categories and private messages. This can reveal sensitive content or relationships that the user intended to keep private. The confidentiality of secure topics and private messages is compromised [2].
Mitigation
The vulnerability is patched in Discourse-reactions version 0.2, released on 2021-10-19 [1]. Users who cannot upgrade immediately should disable the Discourse-reactions plugin via the admin panel as a workaround [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<0.2+ 1 more
- (no CPE)range: <0.2
- (no CPE)range: < 0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access-control filtering on the topic visibility of reactions returned by the `reactions_given` endpoint."
Attack vector
An attacker can call the `/discourse-reactions/posts/reactions.json` endpoint with a target username to retrieve that user's reactions. Because the original code lacked access-control filtering on the underlying topics, the response included reactions on private messages and topics in secure (read-restricted) categories even when the attacker had no permission to view those topics. This leaks sensitive information about which posts a user reacted to. [ref_id=1]
Affected code
The vulnerability is in the `reactions_given` action of `app/controllers/discourse_reactions/custom_reactions_controller.rb`. The original query joined `ReactionUser` with `:reaction, :post` but did not filter based on topic visibility, allowing reactions on private messages and secure-category topics to be exposed to unauthorized users. The patch adds a `secure_reaction_users!` method that applies access-control checks on the topic's archetype and category read restrictions.
What the fix does
The patch modifies the `reactions_given` query to join through `post: :topic` and adds a `LEFT JOIN categories` so that topic-level and category-level permissions can be checked. The new `secure_reaction_users!` method filters out private messages unless the requesting user is a participant or admin, and filters out topics in read-restricted categories unless the user belongs to an authorized group. This ensures the endpoint only returns reactions that the requester is allowed to see. [ref_id=1]
Preconditions
- inputThe attacker must know or guess a target username on the Discourse instance.
- networkThe attacker must be able to reach the `/discourse-reactions/posts/reactions.json` endpoint (no special authentication required beyond a normal user session).
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/discourse/discourse-reactions/commit/213d90b82fd15c4186ebc290fee18817d9727d0dmitrex_refsource_MISC
- github.com/discourse/discourse-reactions/security/advisories/GHSA-9358-hwg5-jrmhmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.