CVE-2026-33300 Overview
CVE-2026-33300 is an authorization bypass vulnerability in Discourse, an open-source discussion platform. The vulnerability exists in the Category Chatables Controller's show action, which allows moderators to retrieve information about hidden group names and user counts that they should not have access to. This information disclosure issue affects multiple Discourse versions and has been addressed in security patches.
Critical Impact
Moderators can bypass authorization controls to enumerate hidden group names and obtain user counts, potentially exposing sensitive organizational structures and membership information.
Affected Products
- Discourse versions 2026.1.0-latest to before 2026.1.3
- Discourse versions 2026.2.0-latest to before 2026.2.2
- Discourse versions 2026.3.0-latest to before 2026.3.0
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-33300 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-33300
Vulnerability Analysis
This authorization bypass vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) resides in the Category Chatables Controller within Discourse's chat plugin. The flaw allows authenticated users with moderator privileges to access information about hidden groups, including group names and user counts, through the controller's show action.
The vulnerability stems from insufficient visibility checks when processing requests to view category chatable information. When a moderator queries category chatables for read-restricted categories, the system fails to properly filter out hidden groups, exposing their existence and membership counts to users who should not have this level of visibility.
Root Cause
The root cause is a missing visibility filter in the Group query within the Category Chatables Controller. When fetching group permissions for read-restricted categories, the controller did not apply the visible_groups scope to filter groups based on the requesting user's permission level. This meant that hidden groups associated with category permissions were disclosed to moderators who queried the endpoint.
Attack Vector
The attack requires network access and low-privilege authentication (moderator role). An attacker with moderator privileges can exploit this vulnerability by:
- Identifying a read-restricted category in the Discourse instance
- Sending a request to the Category Chatables Controller show action
- Observing the response which includes hidden group names and user counts
This is a straightforward information disclosure that requires no user interaction and can be executed with low attack complexity.
# Security patch in plugins/chat/app/controllers/chat/api/category_chatables_controller.rb
# The fix adds visibility filtering to respect group visibility settings
if category.read_restricted?
permissions =
Group
+ .visible_groups(guardian.user, nil, include_everyone: true)
.joins(:category_groups)
.where(category_groups: { category_id: category.id })
.where(
Source: GitHub Commit
Detection Methods for CVE-2026-33300
Indicators of Compromise
- Unusual volume of requests to the Category Chatables Controller endpoints from moderator accounts
- Access logs showing repeated queries to /chat/api/category_chatables or similar endpoints
- Moderator accounts querying multiple read-restricted categories in rapid succession
- Audit logs indicating access to category chatable information that doesn't align with normal moderator workflows
Detection Strategies
- Monitor API access logs for the Category Chatables Controller show action
- Implement alerting on bulk or scripted requests to category-related endpoints from moderator-level accounts
- Review audit trails for moderator access to hidden group information
- Deploy web application firewall rules to detect enumeration patterns against category endpoints
Monitoring Recommendations
- Enable detailed request logging for Discourse's chat plugin API endpoints
- Configure SIEM alerts for anomalous access patterns to category chatables
- Implement user behavior analytics to detect moderators accessing unusually high numbers of restricted categories
- Regularly review moderator activity reports for potential information gathering behavior
How to Mitigate CVE-2026-33300
Immediate Actions Required
- Upgrade Discourse to patched versions: 2026.1.3, 2026.2.2, or 2026.3.0 immediately
- Audit moderator access logs to determine if this vulnerability may have been exploited
- Review hidden group configurations to assess potential data exposure
- Consider temporarily restricting moderator access to chat features until patching is complete
Patch Information
Discourse has released security patches addressing this vulnerability in versions 2026.1.3, 2026.2.2, and 2026.3.0. The fix adds a visible_groups scope filter to ensure that group visibility settings are respected when the Category Chatables Controller processes requests from moderators.
For detailed patch information, refer to the GitHub Security Advisory and the commit implementing the fix.
Workarounds
- If immediate patching is not possible, consider temporarily disabling the chat plugin until the upgrade can be performed
- Restrict moderator role assignments to only essential personnel until patching is complete
- Implement additional network-level access controls to limit exposure of the Discourse admin interface
- Monitor and log all moderator activity for forensic purposes
# Verify Discourse version after patching
cd /var/discourse
./launcher enter app
rails runner "puts Discourse::VERSION::STRING"
# Check that the patched version is running (should be 2026.1.3, 2026.2.2, or 2026.3.0+)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
