CVE-2026-30891
MEDIUMDiscourse hasUnauthorized Exposure of Private User Action Types
Title source: cnaDescription
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a user could access another user's private activity due to insufficient authorization checks in the user actions endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.
Scores
CVSS v3
6.5
EPSS
0.0004
EPSS Percentile
12.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (5)
discourse/discourse
2026.3.0
discourse/discourse
2026.1.0 - 2026.1.2
discourse/discourse
= 2026.3.0-latest.1
discourse/discourse
>= 2026.1.0-latest, < 2026.1.2
discourse/discourse
>= 2026.2.0-latest, < 2026.2.1
Published
Mar 20, 2026
Tracked Since
Mar 20, 2026