CVE-2026-44785
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
There is a vulnerability in the Discourse discussion platform that allows authenticated users to access hidden parent post content by using the AI 'explain' function on a reply to that post. This issue affects versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1.
Risk Assessment
Organizations may be at risk of exposing sensitive information if users with access to the AI function can read hidden post content. This could lead to privacy breaches and data security issues.
Recommendation
It is recommended to update Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 to mitigate this vulnerability.
Original NVD description (English source)
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the AI "explain" helper only checks can_see? on the post being explained, not its reply_to_post, so any authenticated user with access to the AI helper could read the raw contents of a hidden parent post by invoking "Explain" on a reply to it. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

