CVE Catalog

CVE-2026-44786

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

15th percentile - higher than 15% of all known CVEs

Summary

Discourse is an open-source discussion platform with a vulnerability in versions from 2026.1.0 to before 2026.1.4, from 2026.3.0 to before 2026.3.1, and from 2026.4.0 to before 2026.4.1. Chat events for public category channels are published to MessageBus without proper permission scoping, allowing subscribers without chat enabled to receive chat message payloads in real time.

Risk Assessment

The organization may be exposed to the disclosure of private chat messages, potentially leading to privacy violations and loss of trust in the platform.

Recommendation

It is recommended to update Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 to mitigate this vulnerability.

Original NVD description (English source)

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS