Description
Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were tracking or watching the tags via /preferences/tags, then have their staff status revoked will still see notifications related to the tag, but will not see the tag on each topic. This issue has been patched in stable version 2.7.11. Users are advised to upgrade as soon as possible.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-pq2x-vq37-8522
Patch, Third Party Advisory x_refsource_misc
https://github.com/discourse/discourse/commit/cdaf7f4bb3ec268238e4c29a14bb73fad56574b4
Vendor Advisory x_refsource_misc
https://meta.discourse.org/t/non-forum-staff-getting-notifications-for-staff-only-tags/184895
Scores
CVSS v3
4.3
EPSS
0.0027
EPSS Percentile
49.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
discourse/discourse
2.8.0 beta1 (7 CPE variants)
discourse/discourse
< 2.7.11
Published
Dec 01, 2021
Tracked Since
Feb 18, 2026