Low severity2.7NVD Advisory· Published Mar 31, 2026· Updated Apr 10, 2026
CVE-2026-33415
CVE-2026-33415
Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Affected products
3cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*+ 2 more
- cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*range: >=2026.1.0,<2026.1.3
- cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
- cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*
Patches
1e1bb146a1fadhttps://github.com/discourse/discoursevia nvd-ref
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.