Home

Description

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.

PUBLISHED Reserved 2026-05-13 | Published 2026-07-09 | Updated 2026-07-14 | Assigner GitHub_M




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

>= 2026.1.0-latest, < 2026.1.5
affected

>= 2026.4.0-latest, < 2026.4.2
affected

>= 2026.5.0-latest, < 2026.5.1
affected

References

github.com/...course/security/advisories/GHSA-22v7-6wgj-g9f7

github.com/...ommit/37969503f20369eb1712b7b88daedcfb4f63f5f1

github.com/...ommit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586

github.com/...ommit/6457ab71f36a2d1440fe96af0a2593897844b023

github.com/...ommit/7deb4b6963442569357b41e61febe37594e5e730

github.com/discourse/discourse/releases/tag/v2026.1.5

github.com/discourse/discourse/releases/tag/v2026.4.2

github.com/discourse/discourse/releases/tag/v2026.5.1

github.com/discourse/discourse/releases/tag/v2026.6.0

cve.org (CVE-2026-45780)

nvd.nist.gov (CVE-2026-45780)

Download JSON