CVE-2026-32244

Vulnerability

In Discourse versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1, AI-generated summaries that are cached may continue to display content that has been removed from the underlying topic or post. This occurs because the cached summary is not automatically invalidated or regenerated when the source content is deleted or edited, leading to a discrepancy between the visible summary and the actual content [1].

Exploitation

An anonymous or unprivileged user who can view a topic (but lacks permission to see or regenerate summaries) can read the cached AI summary that may contain the removed content. No authentication is required beyond what is needed to view the topic, and no user interaction from the victim is necessary. The attack complexity is low, and the attack vector is network-based, allowing remote exploitation [1].

Impact

Successful exploitation results in unauthorized disclosure of information that was intended to be deleted or hidden. This confidentiality breach can expose sensitive discussions or data that the application administrators believed were no longer accessible. The integrity or availability of the system is not directly affected [1].

Mitigation

The issue has been fixed in Discourse versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Administrators can work around the vulnerability by restricting which groups are allowed to generate summaries via the summarization Personas feature, thus limiting the number of users who might encounter outdated cached summaries [1].