CVE-2026-32618 Overview
CVE-2026-32618 is an information disclosure vulnerability in Discourse, an open-source discussion platform. The vulnerability allows authenticated users to infer chat channel membership information through the chat user search functionality without proper authorization checks. This issue affects multiple versions of Discourse across the 2026.1.x, 2026.2.x, and 2026.3.x release branches.
Critical Impact
Authenticated attackers can determine which users are members of private chat channels they don't have access to, potentially exposing sensitive organizational structures and communication patterns.
Affected Products
- Discourse versions 2026.1.0-latest to before 2026.1.3
- Discourse versions 2026.2.0-latest to before 2026.2.2
- Discourse versions 2026.3.0-latest to before 2026.3.0 (patched)
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-32618 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-32618
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists in the chat user search functionality within Discourse's chat plugin. When performing user searches with the excluded_memberships_channel_id parameter, the application failed to verify whether the requesting user had permission to view information about the specified channel's membership.
The vulnerability allows a low-privileged authenticated user to make network requests that reveal membership information for channels they cannot normally access. While no data modification is possible, the confidentiality breach could expose private organizational structures or reveal which users are communicating in restricted channels.
Root Cause
The root cause lies in the Chat::SearchChatable service located in plugins/chat/app/services/chat/search_chatable.rb. The original implementation directly excluded users from search results based on channel membership without first validating that the requesting user had permission to preview the target channel. This missing authorization check allowed any authenticated user to pass arbitrary channel IDs and observe which users were excluded from results, thereby inferring channel membership.
Attack Vector
The attack is network-based and requires low privileges (an authenticated Discourse account). An attacker can exploit this vulnerability by:
- Initiating a user search request with the excluded_memberships_channel_id parameter set to a target channel ID
- Observing which users are excluded from the search results
- Inferring that excluded users are members of the specified private channel
- Repeating with different channel IDs to map out private channel membership across the platform
user_search = user_search.includes(:user_option)
if params.excluded_memberships_channel_id
- user_search =
- user_search.where(
- "NOT EXISTS (SELECT 1 FROM user_chat_channel_memberships WHERE user_id = users.id AND chat_channel_id = ?)",
- params.excluded_memberships_channel_id,
- )
+ channel =
+ Chat::Channel.includes(:chatable).find_by(id: params.excluded_memberships_channel_id)
+ if channel && guardian.can_preview_chat_channel?(channel)
+ user_search =
+ user_search.where(
+ "NOT EXISTS (SELECT 1 FROM user_chat_channel_memberships WHERE user_id = users.id AND chat_channel_id = ?)",
+ params.excluded_memberships_channel_id,
+ )
+ end
end
filter_term = params.term.to_s
Source: GitHub Discourse Commit
Detection Methods for CVE-2026-32618
Indicators of Compromise
- Unusual patterns of chat user search requests with varying excluded_memberships_channel_id values
- Single users making rapid sequential search requests targeting different channel IDs
- Search requests referencing channel IDs the requesting user should not have knowledge of
- Elevated search API activity from low-privilege accounts
Detection Strategies
- Monitor Discourse application logs for user search requests containing the excluded_memberships_channel_id parameter
- Implement rate limiting detection for chat search endpoints to identify enumeration attempts
- Audit access logs for authenticated users querying multiple private channel IDs in short time periods
- Compare channel IDs in search requests against the requesting user's actual channel access permissions
Monitoring Recommendations
- Enable verbose logging for the chat plugin's search functionality
- Set up alerts for anomalous search request patterns targeting the chat user search endpoint
- Review authentication logs for accounts exhibiting reconnaissance behavior
- Implement honeypot channels to detect membership inference attempts
How to Mitigate CVE-2026-32618
Immediate Actions Required
- Upgrade Discourse to version 2026.1.3, 2026.2.2, or 2026.3.0 or later immediately
- Review access logs to determine if this vulnerability may have been exploited
- Audit sensitive channel membership for any signs of unauthorized information exposure
- Notify affected users if evidence of exploitation is discovered
Patch Information
Discourse has released patched versions that address this vulnerability. The fix adds an authorization check using the guardian.can_preview_chat_channel? method before allowing channel membership data to influence search results. The patch is available in:
- Version 2026.1.3 for the 2026.1.x branch
- Version 2026.2.2 for the 2026.2.x branch
- Version 2026.3.0 for the 2026.3.x branch
For additional details, see the GitHub Security Advisory GHSA-pc8p-w2m7-hgf3 and the security patch commit.
Workarounds
- Temporarily disable the chat plugin if immediate patching is not possible
- Implement web application firewall rules to block or rate-limit requests containing excluded_memberships_channel_id parameter
- Restrict chat functionality to trusted user groups until the patch can be applied
- Monitor and alert on search API abuse patterns as an interim detection measure
# Configuration example - Upgrade Discourse using the standard process
cd /var/discourse
git pull
./launcher rebuild app
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
