CVE-2026-33514
MEDIUMDiscourse: Information Disclosure in Form Template API Due to Missing Authorization
Title source: cnaDescription
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-w6g7-p2p9-2m5h
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/commit/ae5c9570fb918442c4d96abc83c1e7e169909b02
Scores
CVSS v4
6.0
EPSS
0.0004
EPSS Percentile
11.7%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (4)
discourse/discourse
< 2026.1.4
discourse/discourse
>= 2026.3.0-latest, < 2026.3.1
discourse/discourse
>= 2026.4.0-latest, < 2026.4.1
discourse/discourse
>= 2026.5.0-latest , < 2026.5.0-latest.1
Published
May 19, 2026
Tracked Since
May 19, 2026