Reaction metadata exposed in private topics in Discourse-reactions
Description
Discourse-reactions plugin before 0.3 leaked reaction metadata on private topics, exposing user reactions to unauthorized users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Discourse-reactions plugin before 0.3 leaked reaction metadata on private topics, exposing user reactions to unauthorized users.
Vulnerability
The discourse-reactions plugin for Discourse, prior to version 0.3, did not properly enforce topic permissions when publishing reaction data. This allowed reactions performed on posts in private topics to be exposed to users who should not have access. References [1] and [2].
Exploitation
An attacker with network access to the Discourse instance could observe MessageBus messages for private topics, or potentially use API keys to access reaction data. The vulnerability is triggered when a reaction is toggled on a private topic post, and the plugin publishes the reaction update to the MessageBus channel without filtering by user permissions. Example test code in commit [1] shows the fix.
Impact
Successful exploitation leaks the metadata of reactions (emoji types and counts) on private topic posts. This violates confidentiality of private conversations. No integrity or availability impact.
Mitigation
Upgrade to discourse-reactions version 0.3 or later. For users unable to upgrade, disable the plugin entirely. No known workarounds other than disabling. [2]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<0.3+ 1 more
- (no CPE)range: <0.3
- (no CPE)range: >= 0.2, < 0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin did not properly check user permissions before publishing reaction data to private topics."
Attack vector
An attacker could exploit this by adding a reaction to a post within a private topic. The plugin would then publish this reaction data to the MessageBus, which could be intercepted by unauthorized users. This bypasses the intended privacy controls for private messages. [ref_id=1]
Affected code
The vulnerability lies in the handling of MessageBus messages for reactions, particularly concerning private topics. The commit modifies the test suite to include a test case that specifically checks for secure publishing of reactions on private posts, ensuring that unauthorized users do not receive this data. [ref_id=1]
What the fix does
The patch introduces checks to ensure that reaction data is only published if the user has permission to view the topic. Specifically, it prevents the publishing of MessageBus messages related to reactions on private posts to users who do not have access to the topic. This is achieved by ensuring that the `user_ids` in the published message are filtered based on topic permissions. [ref_id=1]
Preconditions
- configThe discourse-reactions plugin must be enabled.
- authThe attacker needs to be able to add a reaction to a post.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/discourse/discourse-reactions/commit/01aca15b2774c088f3673118e92e9469f37d2fb6mitrex_refsource_MISC
- github.com/discourse/discourse-reactions/security/advisories/GHSA-4cgc-c7vh-94g6mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.