CVE-2026-32143 Overview
CVE-2026-32143 is an authorization bypass vulnerability in Discourse, the popular open-source discussion platform. This flaw allows moderators to export CSV data for admin-restricted reports, bypassing the intended report visibility restrictions. The vulnerability could expose sensitive operational data that was intended to be accessible only to administrators.
Critical Impact
Moderators can access and export admin-only report data via CSV export functionality, potentially exposing sensitive platform operational metrics and user information.
Affected Products
- Discourse versions 2026.1.0-latest to before 2026.1.3
- Discourse versions 2026.2.0-latest to before 2026.2.2
- Discourse versions 2026.3.0-latest to before 2026.3.0
Discovery Timeline
- 2026-03-31 - CVE-2026-32143 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-32143
Vulnerability Analysis
This vulnerability stems from an improper access control check in Discourse's CSV export functionality. The can_export_entity? method in the Guardian class failed to properly validate whether a moderator had permission to export specific report types via CSV. While the web interface correctly restricted admin-only reports from moderators, the CSV export endpoint did not perform the same authorization checks on the report name parameter.
The flaw is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), as it allows users with moderator privileges to access data they should not be authorized to view. This represents a horizontal privilege escalation where moderators gain access to admin-level reporting capabilities.
Root Cause
The root cause lies in the incomplete authorization check within the can_export_entity? method in lib/guardian.rb. When moderators requested CSV exports for reports, the original implementation only checked if the entity type was "report" without validating whether the specific report name was hidden from non-admin users. The Report.hidden? check was missing, allowing moderators to bypass visibility restrictions by directly requesting admin-only reports through the CSV export API endpoint.
Attack Vector
An authenticated moderator could exploit this vulnerability by crafting requests to the CSV export controller with admin-restricted report names. The attack requires network access and valid moderator credentials. The exploitation path involves:
- Authenticating as a user with moderator privileges
- Identifying admin-restricted report names (potentially through enumeration or documentation)
- Sending export requests to /admin/export_csv/export_entity with the restricted report name
- Receiving CSV data containing sensitive operational information
def export_entity
entity = export_params[:entity]
entity_id = params.dig(:args, :export_user_id)&.to_i if entity == "user_archive"
- guardian.ensure_can_export_entity!(entity, entity_id)
+ guardian.ensure_can_export_entity!(entity, entity_id, export_params[:args])
raise Discourse::InvalidParameters.new(:entity) unless entity.is_a?(String) && entity.size < 100
(export_params[:args] || {}).each do |key, value|
Source: GitHub Commit Update
The fix passes the export arguments to the authorization check, enabling proper validation of report-specific permissions:
@user.in_any_groups?(SiteSetting.send_email_messages_allowed_groups_map)
end
- def can_export_entity?(entity, entity_id = nil)
+ def can_export_entity?(entity, entity_id = nil, args = nil)
return false if anonymous?
return true if is_admin?
return can_see_emails? if entity == "screened_email"
return can_see_ip? if entity == "screened_ip"
if is_moderator? && (entity != "user_archive" || entity_id.nil?)
+ if entity == "report"
+ report_name = args&.[](:name) || args&.[]("name")
+ return true if report_name.blank?
+ return !Report.hidden?(report_name, admin: false)
+ end
return %w[staff_action screened_url report user_archive].include?(entity)
end
Source: GitHub Commit Update
Detection Methods for CVE-2026-32143
Indicators of Compromise
- Unexpected CSV export requests from moderator accounts targeting admin-restricted reports
- Anomalous access patterns to /admin/export_csv/export_entity endpoint
- Moderator accounts downloading reports they typically would not access through the UI
- Audit log entries showing report exports for sensitive operational data by non-admin staff
Detection Strategies
- Monitor audit logs for CSV export activities by moderator-level accounts
- Implement alerting on export requests for admin-restricted report types from non-admin users
- Review access logs for the export_csv_controller endpoint with report entity parameters
- Correlate export activities with normal moderator workflow patterns to identify anomalies
Monitoring Recommendations
- Enable detailed logging for all CSV export operations in Discourse
- Configure alerts for any export requests containing sensitive report names
- Implement regular audit reviews of moderator account activities
- Monitor for bulk or repeated export requests that may indicate data harvesting attempts
How to Mitigate CVE-2026-32143
Immediate Actions Required
- Upgrade Discourse to patched versions 2026.1.3, 2026.2.2, or 2026.3.0 immediately
- Review audit logs to determine if this vulnerability was exploited prior to patching
- Assess what admin-restricted reports may have been accessed by moderators
- Consider temporarily restricting CSV export capabilities until patching is complete
Patch Information
Discourse has released security patches addressing this vulnerability. The fix adds proper authorization checks to ensure moderators cannot export admin-only reports via CSV. The patched versions are:
- Version 2026.1.3 for the 2026.1.x branch
- Version 2026.2.2 for the 2026.2.x branch
- Version 2026.3.0 for the 2026.3.x branch
For detailed patch information, see the GitHub Security Advisory GHSA-rhjf-mgqw-37wq and the security commit.
Workarounds
- Temporarily disable CSV export functionality for non-admin users if immediate patching is not possible
- Restrict moderator permissions to only trusted personnel until the update is applied
- Implement network-level controls to limit access to the admin export endpoint
- Monitor and audit all moderator activities during the vulnerable period
# Update Discourse to the latest patched version
cd /var/discourse
./launcher rebuild app
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
