CVE-2026-31869 Overview
CVE-2026-31869 is an Information Disclosure vulnerability affecting Discourse, the popular open-source discussion platform. The vulnerability exists in the ComposerController#mentions endpoint, which inadvertently reveals hidden group membership to any authenticated user who has the ability to message the group.
By supplying allowed_names referencing a hidden-membership group and probing arbitrary usernames, an attacker can infer membership based on whether user_reasons returns "private" for a given user. This effectively bypasses the group member-visibility controls that are designed to keep group membership confidential.
Critical Impact
Authenticated attackers can enumerate and discover members of hidden groups by exploiting the ComposerController#mentions endpoint, potentially exposing sensitive organizational structures or privileged user lists.
Affected Products
- Discourse versions prior to 2026.3.0-latest.1
- Discourse versions prior to 2026.2.1
- Discourse versions prior to 2026.1.2
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-31869 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-31869
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw resides in the ComposerController#mentions endpoint, which is designed to assist users when composing messages by suggesting mentions and validating group names.
The root issue stems from improper access control when handling requests that reference hidden-membership groups. When an authenticated user queries the endpoint with allowed_names containing a hidden-membership group identifier along with a username, the response behavior differs based on whether that user is actually a member of the group.
If the queried user is a member of the hidden group, the user_reasons field in the response returns "private" - a distinguishable response that reveals the membership status. This information oracle allows attackers to systematically enumerate group members by iterating through known usernames and observing the response patterns.
Root Cause
The vulnerability originates from insufficient access control validation in the ComposerController#mentions endpoint. The endpoint fails to verify whether the requesting user should have visibility into the membership status of hidden groups before returning differentiated responses. This creates an information leak where the response content inadvertently discloses protected membership information to unauthorized users.
Attack Vector
The attack is network-based and requires the attacker to be authenticated on the Discourse instance. The attacker must have the ability to message the target hidden-membership group. The exploitation process involves:
- Identifying a hidden-membership group that the attacker can message
- Crafting requests to the ComposerController#mentions endpoint with allowed_names referencing the hidden group
- Iterating through potential usernames while observing the user_reasons response field
- Determining group membership when "private" is returned for specific users
The attack requires low complexity and no user interaction, making it straightforward for any authenticated user with messaging privileges to exploit.
Detection Methods for CVE-2026-31869
Indicators of Compromise
- Unusual volume of requests to the ComposerController#mentions endpoint from a single user or session
- Sequential or automated-looking requests with varying username parameters but consistent allowed_names referencing hidden groups
- Authentication logs showing repeated access patterns targeting the mentions API endpoint
Detection Strategies
- Monitor application logs for high-frequency requests to the /composer/mentions or equivalent endpoint
- Implement rate limiting and anomaly detection for the mentions lookup functionality
- Create alerts for authenticated users making bulk queries with hidden group references in allowed_names
- Review access logs for patterns indicating systematic username enumeration
Monitoring Recommendations
- Enable detailed logging for the ComposerController endpoints to capture request parameters
- Configure SIEM rules to detect enumeration patterns against the mentions API
- Monitor for authenticated sessions making an abnormal number of API calls in short time periods
- Track and alert on requests that reference hidden-membership groups from non-member users
How to Mitigate CVE-2026-31869
Immediate Actions Required
- Upgrade Discourse to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 or later immediately
- Review hidden-membership group configurations and assess potential exposure
- Audit logs for any suspicious enumeration activity targeting the mentions endpoint
- Implement the recommended workaround if patching cannot be completed immediately
Patch Information
Discourse has released security patches in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 that address this vulnerability. The patches correct the access control logic in the ComposerController#mentions endpoint to prevent unauthorized disclosure of hidden group membership information. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Restrict the messageable policy of any hidden-membership group to staff or group members only
- Disable messaging capabilities for hidden-membership groups until patches can be applied
- Implement network-level access controls to limit exposure of the Discourse instance to trusted users only
- Consider temporarily converting hidden-membership groups to standard groups if the membership is not sensitive
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
