CVE-2026-32607 Overview
Discourse, a widely-used open-source discussion platform, contains a Cross-Site Scripting (XSS) vulnerability affecting multiple versions. When the hidden prioritize_full_name_in_ux site setting is enabled (which defaults to false and requires console access to change), user and group display names are rendered without proper HTML escaping in several assignment-related UI paths. This allows authenticated users with assign permission to inject arbitrary HTML/JavaScript that executes in the browser of any user viewing an affected topic.
Critical Impact
Authenticated attackers with assign permission can inject malicious scripts that execute in victims' browsers when viewing affected topics, potentially leading to session hijacking, data theft, or unauthorized actions.
Affected Products
- Discourse versions 2026.1.0-latest to before 2026.1.3
- Discourse versions 2026.2.0-latest to before 2026.2.2
- Discourse versions 2026.3.0-latest to before 2026.3.0
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-32607 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-32607
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw exists in how Discourse handles the rendering of user and group display names within assignment-related UI components.
When the prioritize_full_name_in_ux site setting is enabled via console access, the platform fails to properly escape HTML entities in display name fields before rendering them in the browser. This creates an opportunity for stored XSS attacks where malicious payloads persist in the database and execute whenever other users view affected content.
The attack requires several preconditions: the hidden site setting must be manually enabled through console access, and the attacker must have assign permission within the Discourse instance. While these requirements limit the attack surface, successful exploitation can impact any user who views a topic containing the malicious assignment.
Root Cause
The root cause lies in insufficient output encoding within the assignment-related UI rendering paths. When the prioritize_full_name_in_ux setting is active, the display name values are inserted into the DOM without HTML entity escaping. This allows HTML metacharacters and JavaScript code embedded in display names to be interpreted as executable code rather than text content.
Attack Vector
The attack is network-based and requires authentication with assign permission. An attacker would modify their display name or group name to include malicious JavaScript, then create or modify an assignment that triggers the vulnerable rendering path. When other authenticated users view the affected topic, the injected script executes within their browser session context.
The vulnerability enables classic stored XSS attack scenarios including:
- Stealing session tokens and authentication cookies
- Performing actions on behalf of victim users
- Redirecting users to phishing pages
- Modifying page content to deceive users
For technical implementation details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-32607
Indicators of Compromise
- Unusual HTML or JavaScript code present in user display names or group names
- Assignment entries containing encoded script tags or event handlers (e.g., <script>, onerror=, onload=)
- Unexpected network requests originating from the Discourse application to external domains
- User reports of strange behavior when viewing specific topics with assignments
Detection Strategies
- Review Discourse database for user display names containing HTML special characters or JavaScript code patterns
- Monitor web application firewall (WAF) logs for XSS payload patterns in form submissions
- Implement Content Security Policy (CSP) reporting to detect inline script execution attempts
- Audit admin console access logs for changes to the prioritize_full_name_in_ux setting
Monitoring Recommendations
- Enable and review Discourse admin activity logs for suspicious setting changes
- Configure browser-side monitoring to detect unexpected script execution
- Set up alerts for rapid changes to user profile display names
- Monitor for anomalous session token usage that may indicate session hijacking
How to Mitigate CVE-2026-32607
Immediate Actions Required
- Upgrade to patched versions: 2026.1.3, 2026.2.2, or 2026.3.0 immediately
- Audit user and group display names for any suspicious HTML or JavaScript content
- Review admin console access logs to determine if the prioritize_full_name_in_ux setting was enabled
- If the setting is enabled, consider disabling it until patches are applied
Patch Information
Discourse has released security patches addressing this vulnerability. The fix implements proper HTML escaping for display names in assignment-related UI paths. Patched versions include 2026.1.3, 2026.2.2, and 2026.3.0. The fix can be reviewed in the GitHub commit.
Workarounds
- Disable the prioritize_full_name_in_ux site setting via console if it was previously enabled
- Restrict assign permissions to trusted users only until patches are applied
- Implement Content Security Policy headers to mitigate the impact of any XSS exploitation
- Review and sanitize existing user display names to remove any potentially malicious content
# Configuration example - Check if the vulnerable setting is enabled
cd /var/discourse
./launcher enter app
rails c
SiteSetting.prioritize_full_name_in_ux
# If true, disable it as a temporary mitigation:
# SiteSetting.prioritize_full_name_in_ux = false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
