CVE Catalog

CVE-2026-44782

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile - higher than 7% of all known CVEs

Summary

Discourse is an open-source discussion platform that has a bug in the serialization of the :name attribute in GroupPostSerializer. The issue is that the incorrectly named predicate include_user_long_name? was never called, resulting in object.user.name always being serialized regardless of SiteSetting.enable_names.

Risk Assessment

Organizations may be exposed to user data disclosure, as the user's name is always serialized, potentially leading to unauthorized access to personal information.

Recommendation

It is recommended to update Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 to mitigate this vulnerability.

Original NVD description (English source)

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared include_user_long_name? as the predicate for its :name attribute, but AMS looks for include_name?. The misnamed predicate was never called, so object.user.name was always serialized regardless of SiteSetting.enable_names. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS