CVE-2026-45780
MEDIUMDiscourse: Private event sample invitees are serialized to non-invited event viewers
Title source: cnaDescription
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
References (9)
Core 9
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/releases/tag/v2026.1.5
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/releases/tag/v2026.4.2
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/releases/tag/v2026.5.1
X_Refsource_Misc x_refsource_misc
https://github.com/discourse/discourse/releases/tag/v2026.6.0
Scores
CVSS v3
5.3
EPSS
0.0040
EPSS Percentile
32.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (3)
discourse/discourse
>= 2026.1.0-latest, < 2026.1.5
discourse/discourse
>= 2026.4.0-latest, < 2026.4.2
discourse/discourse
>= 2026.5.0-latest, < 2026.5.1
Published
Jul 09, 2026
Tracked Since
Jul 10, 2026