CVE-2026-32620 Overview
CVE-2026-32620 is an Information Exposure vulnerability affecting Discourse, the popular open-source discussion platform. This authorization bypass flaw allows non-staff users to access read receipt information for staff-only posts (also known as "whispers") that they should not be able to see. While no actual post content is exposed, metadata about who read the post and when is disclosed to unauthorized users.
Critical Impact
Unauthorized users can enumerate staff activity patterns and identify which staff members have viewed confidential whisper posts, potentially revealing organizational workflows and internal communication patterns.
Affected Products
- Discourse versions 2026.1.0-latest to before 2026.1.3
- Discourse versions 2026.2.0-latest to before 2026.2.2
- Discourse versions 2026.3.0-latest to before 2026.3.0
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-32620 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-32620
Vulnerability Analysis
This vulnerability stems from a missing post-level authorization check in the Discourse post readers controller. When users query the read receipt endpoint for a post, the application validates whether the user can see the list of readers but fails to first verify whether the user has permission to see the underlying post itself. This creates a security gap where authenticated users with low privileges can retrieve metadata about staff-only whisper posts by directly requesting the readers endpoint with a known post ID.
The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The attack requires network access and a low-privileged authenticated user account. While the confidentiality impact is limited since only metadata is exposed rather than post content, this information could be valuable for reconnaissance or social engineering attacks against staff members.
Root Cause
The root cause is a missing authorization check in the PostReadersController#index action. The controller calls ensure_can_see_readers! to verify if the user can view the readers list, but neglects to first call guardian.ensure_can_see!(post) to verify the user has permission to see the post itself. This violates the principle of defense in depth where multiple authorization layers should protect sensitive resources.
Attack Vector
An attacker with a standard user account on a Discourse forum can exploit this vulnerability through direct API requests:
- The attacker enumerates or discovers post IDs for staff-only whisper posts
- They craft a request to the /post_readers endpoint with the target post ID
- The server returns read receipt metadata (usernames and timestamps) without verifying post visibility
- The attacker collects information about staff activity and reading patterns
def index
post = Post.includes(topic: %i[topic_allowed_groups topic_allowed_users]).find(params[:id])
+ guardian.ensure_can_see!(post)
ensure_can_see_readers!(post)
readers =
Source: GitHub Commit
Detection Methods for CVE-2026-32620
Indicators of Compromise
- Unusual API requests to /post_readers endpoints from non-staff user accounts
- High volume of requests to read receipt endpoints with sequential or enumerated post IDs
- Access logs showing authenticated users querying readers for posts they haven't viewed
- Anomalous patterns of post ID enumeration in application logs
Detection Strategies
- Monitor application logs for requests to the PostReadersController#index endpoint from non-admin users
- Implement rate limiting and anomaly detection on the post readers API endpoint
- Review access logs for patterns indicating systematic post ID enumeration attempts
- Configure web application firewall rules to detect suspicious API access patterns
Monitoring Recommendations
- Enable verbose logging for the post readers controller to capture all access attempts
- Set up alerts for failed authorization checks or unexpected access patterns
- Monitor for bulk requests to read receipt endpoints that may indicate reconnaissance
- Implement user behavior analytics to identify accounts exhibiting enumeration behavior
How to Mitigate CVE-2026-32620
Immediate Actions Required
- Upgrade Discourse to patched versions: 2026.1.3, 2026.2.2, or 2026.3.0
- Review access logs for any evidence of exploitation prior to patching
- Audit staff-only whisper posts that may have had their read receipts exposed
- Consider temporarily disabling read receipt functionality if immediate patching is not possible
Patch Information
Discourse has released security patches addressing this vulnerability. The fix adds a proper authorization check using guardian.ensure_can_see!(post) before processing read receipt requests. Organizations should update to the following versions:
- Version 2026.1.3 for the 2026.1.x branch
- Version 2026.2.2 for the 2026.2.x branch
- Version 2026.3.0 for the 2026.3.x branch
For detailed technical information, refer to the GitHub Security Advisory and the security patch commit.
Workarounds
- Restrict access to the Discourse API for untrusted users until patching is complete
- Implement network-level access controls to limit API endpoint exposure
- Disable the read receipt feature at the site settings level if available
- Monitor and audit all post reader endpoint access while awaiting patch deployment
# Configuration example
# Update Discourse to patched version using the standard upgrade process
cd /var/discourse
./launcher rebuild app
# Verify installed version after upgrade
./launcher enter app
rails runner "puts Discourse::VERSION::STRING"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
