VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 12, 2026

CVE-2026-44782

CVE-2026-44782

Description

A misnamed predicate in Discourse's GroupPostSerializer causes user full names to be leaked even when the enable_names setting is disabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A misnamed predicate in Discourse's GroupPostSerializer causes user full names to be leaked even when the enable_names setting is disabled.

Vulnerability

In Discourse versions 2026.1.0 to before 2026.1.4, 2026.3.0 to before 2026.3.1, and 2026.4.0 to before 2026.4.1, the GroupPostSerializer class declares include_user_long_name? as the predicate for its :name attribute. However, Active Model Serializers (AMS) expects the predicate include_name?. Because the misnamed predicate is never called, object.user.name is always serialized regardless of the SiteSetting.enable_names setting, which is intended to control whether full names are displayed [1].

Exploitation

An attacker who can view group posts (typically any authenticated user) can observe the full names of users associated with those posts, including names that should have been hidden by the enable_names setting. No special privileges or user interaction are required beyond normal access to the forum [1].

Impact

The vulnerability leads to unintended disclosure of user full names, violating the confidentiality of user profile settings. The attacker gains no additional privileges or control over the system, but the information leak may expose personal data that users expected to remain private [1].

Mitigation

The issue is patched in Discourse versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Users should upgrade to one of these fixed versions. No workaround is available for unpatched installations [1].

References
  1. GroupPostSerializer leaks hidden full names through reaction post association

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
1a7eb4362b46

SECURITY: GroupPostSerializer leaks hidden full names through reaction post association [backport 2026.4]

https://github.com/discourse/discoursediscourse-patch-triage[bot]May 18, 2026Fixed in 2026.4.1via llm-release-walk
commit
2 files changed · +12 1
  • app/serializers/group_post_serializer.rb+1 1 modified
    @@ -43,7 +43,7 @@ def posts_count
     object.topic.posts_count
   end
 
-  def include_user_long_name?
+  def include_name?
     SiteSetting.enable_names?
   end
  • plugins/discourse-reactions/spec/requests/custom_reactions_controller_spec.rb+11 0 modified
    @@ -190,6 +190,17 @@
       expect(parsed[0]["reaction"]["id"]).to eq(laughing_reaction.id)
     end
 
+    it "does not expose post author names when names are disabled" do
+      SiteSetting.enable_names = false
+      sign_in(user_1)
+
+      get "/discourse-reactions/posts/reactions.json", params: { username: user_2.username }
+      expect(response.status).to eq(200)
+
+      post = response.parsed_body.find { |reaction| reaction["post_id"] == post_2.id }["post"]
+      expect(post).not_to have_key("name")
+    end
+
     it "does not return reactions for private messages" do
       sign_in(user_1)
efed14871f97

SECURITY: GroupPostSerializer leaks hidden full names through reaction post association [backport 2026.3]

https://github.com/discourse/discoursediscourse-patch-triage[bot]May 18, 2026Fixed in 2026.3.1via llm-release-walk
commit
2 files changed · +12 1
  • app/serializers/group_post_serializer.rb+1 1 modified
    @@ -43,7 +43,7 @@ def posts_count
     object.topic.posts_count
   end
 
-  def include_user_long_name?
+  def include_name?
     SiteSetting.enable_names?
   end
  • plugins/discourse-reactions/spec/requests/custom_reactions_controller_spec.rb+11 0 modified
    @@ -190,6 +190,17 @@
       expect(parsed[0]["reaction"]["id"]).to eq(laughing_reaction.id)
     end
 
+    it "does not expose post author names when names are disabled" do
+      SiteSetting.enable_names = false
+      sign_in(user_1)
+
+      get "/discourse-reactions/posts/reactions.json", params: { username: user_2.username }
+      expect(response.status).to eq(200)
+
+      post = response.parsed_body.find { |reaction| reaction["post_id"] == post_2.id }["post"]
+      expect(post).not_to have_key("name")
+    end
+
     it "does not return reactions for private messages" do
       sign_in(user_1)
5e51c6ab905a

SECURITY: GroupPostSerializer leaks hidden full names through reaction post association [backport 2026.1]

https://github.com/discourse/discoursediscourse-patch-triage[bot]May 18, 2026Fixed in 2026.1.4via llm-release-walk
commit
2 files changed · +12 1
  • app/serializers/group_post_serializer.rb+1 1 modified
    @@ -43,7 +43,7 @@ def posts_count
     object.topic.posts_count
   end
 
-  def include_user_long_name?
+  def include_name?
     SiteSetting.enable_names?
   end
  • plugins/discourse-reactions/spec/requests/custom_reactions_controller_spec.rb+11 0 modified
    @@ -190,6 +190,17 @@
       expect(parsed[0]["reaction"]["id"]).to eq(laughing_reaction.id)
     end
 
+    it "does not expose post author names when names are disabled" do
+      SiteSetting.enable_names = false
+      sign_in(user_1)
+
+      get "/discourse-reactions/posts/reactions.json", params: { username: user_2.username }
+      expect(response.status).to eq(200)
+
+      post = response.parsed_body.find { |reaction| reaction["post_id"] == post_2.id }["post"]
+      expect(post).not_to have_key("name")
+    end
+
     it "does not return reactions for private messages" do
       sign_in(user_1)

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

1

News mentions

0

No linked articles in our index yet.