CVE-2026-45780

MEDIUM

Discourse: Private event sample invitees are serialized to non-invited event viewers

Title source: cna
STIX 2.1

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

Scores

CVSS v3 5.3
EPSS 0.0040
EPSS Percentile 32.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (3)
discourse/discourse >= 2026.1.0-latest, < 2026.1.5
discourse/discourse >= 2026.4.0-latest, < 2026.4.2
discourse/discourse >= 2026.5.0-latest, < 2026.5.1
Published Jul 09, 2026
Tracked Since Jul 10, 2026