Low severity2.7NVD Advisory· Published Mar 31, 2026· Updated Apr 10, 2026
CVE-2026-33415
CVE-2026-33415
Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were not authorized to view. Insufficient access controls on a sentiment analytics endpoint allowed category permission boundaries to be bypassed. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*+ 3 more
- cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
- cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*
- cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*range: >=2026.1.0,<2026.1.3
- (no CPE)range: >= 2026.1.0, < 2026.1.3 || >= 2026.2.0, < 2026.2.2 || >= 2026.3.0-latest, < 2026.3.0
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.