CVE-2026-23743 Overview
CVE-2026-23743 is an Information Disclosure vulnerability affecting Discourse, an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box.
Critical Impact
Unauthorized users can obtain sensitive information about private topics, categories, posts, and hidden tags through permalink redirects, potentially exposing confidential discussion titles and metadata.
Affected Products
- Discourse versions prior to 3.5.4
- Discourse versions prior to 2025.11.2
- Discourse versions prior to 2025.12.1
- Discourse versions prior to 2026.1.0
Discovery Timeline
- 2026-01-28 - CVE CVE-2026-23743 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-23743
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue stems from improper handling of access-restricted resource redirects within Discourse's permalink system. When a user requests a permalink that points to a private or restricted resource, the application performs a redirect that includes the resource's slug in the destination URL, regardless of whether the requesting user has permission to access that resource.
The information leakage occurs through two distinct channels: the HTTP Location header used for the redirect, and the 404 error page's search box which pre-populates with the resource slug. This allows unauthenticated or unauthorized users to enumerate and discover the titles of private topics, names of restricted categories, and hidden tags simply by following permalinks or observing redirect responses.
Root Cause
The root cause of this vulnerability is insufficient access control validation during the permalink resolution process. When processing permalink requests, the application retrieves the destination resource and constructs the redirect URL before verifying whether the requesting user has appropriate permissions to view that resource. This ordering flaw causes the sensitive slug information to be exposed in the redirect response regardless of the user's authorization level.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Obtaining or guessing permalink URLs that may point to restricted resources
- Sending HTTP requests to these permalink endpoints
- Observing the redirect Location header in the HTTP response to capture the resource slug
- Alternatively, following the redirect and examining the 404 page's search box which contains the leaked information
The vulnerability is particularly concerning for organizations using Discourse to host sensitive internal discussions, as private topic titles may contain confidential information about projects, personnel decisions, or security matters.
Detection Methods for CVE-2026-23743
Indicators of Compromise
- Unusual volume of HTTP requests to permalink endpoints from unauthenticated sessions
- Patterns of sequential or enumeration-style requests to /permalink/ routes
- Access logs showing 404 responses preceded by redirects to private resource paths
- External IP addresses repeatedly accessing permalinks to restricted content areas
Detection Strategies
- Monitor web server access logs for redirect responses (HTTP 301/302) to URLs containing private topic or category slugs
- Implement rate limiting and anomaly detection on permalink resolution endpoints
- Review application logs for patterns indicating systematic probing of permalink resources
- Configure alerting for unauthorized access attempts to restricted resource URLs
Monitoring Recommendations
- Enable detailed logging for all permalink resolution requests including source IP and user session state
- Implement security information and event management (SIEM) rules to detect potential exploitation patterns
- Establish baseline traffic patterns for permalink endpoints and alert on deviations
- Monitor for reconnaissance activity targeting your Discourse instance's URL structure
How to Mitigate CVE-2026-23743
Immediate Actions Required
- Upgrade Discourse to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 or later immediately
- Review server access logs for potential exploitation attempts prior to patching
- Audit private topic titles and hidden tags for any confidential information that may have been exposed
- Consider temporarily disabling or restricting access to permalinks if immediate patching is not possible
Patch Information
Discourse has released security patches addressing this vulnerability in the following versions:
- Version 3.5.4 (stable)
- Version 2025.11.2
- Version 2025.12.1
- Version 2026.1.0
Administrators should upgrade to one of these patched versions as soon as possible. For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory GHSA-v5jw-rxc6-4cvv.
Workarounds
- No known workarounds are available for this vulnerability according to the vendor advisory
- Upgrading to a patched version is the only remediation option
- Organizations with highly sensitive private content should prioritize immediate patching
- Consider reviewing and sanitizing private topic titles to minimize exposure risk until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
