CVE-2026-32951 Overview
CVE-2026-32951 is an information disclosure vulnerability affecting Discourse, an open-source discussion platform. The flaw allows an authenticated user to obtain shared draft topic titles by exploiting the inline onebox request functionality. By sending a crafted request with a category_id parameter matching the shared drafts category, an attacker can bypass intended access restrictions and view draft titles that should remain confidential.
Critical Impact
Authenticated users can access confidential shared draft topic titles, potentially exposing sensitive information before it is intended to be published.
Affected Products
- Discourse versions 2026.1.0-latest to before 2026.1.3
- Discourse versions 2026.2.0-latest to before 2026.2.2
- Discourse versions 2026.3.0-latest to before 2026.3.0
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-32951 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-32951
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue stems from insufficient access control validation in the Oneboxer component when processing inline onebox requests. When a user sends a request with a category_id parameter that matches the shared drafts category, the application fails to properly verify whether the requesting user has authorization to view topics within that category.
The vulnerability requires network access and a low-privilege authenticated account to exploit, but does not require user interaction. The attack results in unauthorized disclosure of confidential draft topic titles, which could reveal sensitive organizational information, upcoming announcements, or strategic plans before they are ready for publication.
Root Cause
The root cause lies in the topic visibility check within the Oneboxer component (lib/oneboxer.rb). The original implementation had a conditional check that verified topic visibility when the current category did not match the topic's category. However, when categories matched, the visibility check was bypassed entirely rather than validating the current user's permissions to access the topic. This created a security gap where authenticated users could access shared drafts by simply supplying the matching category ID.
Attack Vector
An attacker with a valid authenticated session can exploit this vulnerability through the following attack vector:
- Identify or guess the category_id of the shared drafts category
- Send an inline onebox request to the Discourse server
- Include the category_id parameter matching the shared drafts category
- The server returns topic titles from the shared drafts without proper authorization validation
The following patch addresses this vulnerability by ensuring user permissions are verified even when categories match:
if current_category.blank? || current_category.id != topic.category_id
return unless Guardian.new.can_see_topic?(topic)
+ else
+ return unless Guardian.new(current_user).can_see_topic?(topic)
end
topic
Source: GitHub Commit Update
Detection Methods for CVE-2026-32951
Indicators of Compromise
- Unusual onebox requests containing category_id parameters targeting shared draft categories
- Authenticated users accessing draft topic information they should not have permission to view
- Elevated API request frequency to onebox endpoints from specific user accounts
Detection Strategies
- Monitor Discourse application logs for inline onebox requests that include category_id parameters
- Implement alerting for access attempts to shared drafts categories from unauthorized users
- Review access patterns to identify users attempting to enumerate category IDs
Monitoring Recommendations
- Enable detailed request logging for the Oneboxer component
- Implement rate limiting on onebox endpoints to prevent enumeration attacks
- Configure alerts for failed authorization attempts in the Guardian module
- Regularly audit user access patterns to shared draft categories
How to Mitigate CVE-2026-32951
Immediate Actions Required
- Upgrade Discourse to version 2026.1.3, 2026.2.2, or 2026.3.0 immediately
- Review access logs to identify potential exploitation attempts
- Audit shared draft categories for any unauthorized access
Patch Information
Discourse has released patched versions that address this vulnerability. The fix ensures that topic visibility is properly validated using the current user's permissions even when the category IDs match. Updates are available through the official Discourse update channels.
- Patched in version 2026.1.3 for the 2026.1.x branch
- Patched in version 2026.2.2 for the 2026.2.x branch
- Patched in version 2026.3.0 for the 2026.3.x branch
For detailed information, see the GitHub Security Advisory GHSA-v93g-8f4f-4rgm.
Workarounds
- Restrict access to shared draft categories to only trusted administrators until patching is complete
- Implement network-level restrictions on API endpoints if immediate patching is not possible
- Consider temporarily disabling the inline onebox feature for non-admin users
# Verify Discourse version after upgrade
cd /var/discourse
./launcher enter app
rails runner "puts Discourse::VERSION::STRING"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
