CVE-2026-34947

MEDIUM

Discourse: Staged user custom fields are exposed on public invite pages

Title source: cna
STIX 2.1

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

References (1)

Scores

CVSS v3 5.3
EPSS 0.0004
EPSS Percentile 11.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (5)
discourse/discourse 2026.3.0
discourse/discourse 2026.1.0 - 2026.1.2
discourse/discourse >= 2026.1.0-latest, < 2026.1.3
discourse/discourse >= 2026.2.0-latest, < 2026.2.2
discourse/discourse >= 2026.3.0-latest, < 2026.3.0
Published Apr 03, 2026
Tracked Since Apr 04, 2026