Synced 17 Jun 2026 22:27 UTC Account
← All products

CVE-2026-33514

MEDIUM severity · CVSS 4.3 · Missing authorization
4.3CVSS MEDIUM

Summary

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.

Impact & exploitability

Attack vectorNetwork
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactLow
Integrity impactNone
Availability impactNone
Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products we track (1)

Discourse

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://github.com/discourse/discourse/commit/ae5c9570fb918442c4d96abc83c1e7e169909b02 ↗

Additional information