CVE-2026-33415 Overview
CVE-2026-33415 is an authorization bypass vulnerability in Discourse, an open-source discussion platform. The vulnerability exists in the sentiment analytics endpoint of the Discourse AI plugin, where insufficient access controls allow authenticated moderator-level users to retrieve post content, topic titles, and usernames from categories they are not authorized to view.
Critical Impact
Authenticated moderators can bypass category permission boundaries to access restricted content, potentially exposing sensitive discussions, private topics, and user information from confidential forum categories.
Affected Products
- Discourse versions 2026.1.0-latest to before 2026.1.3
- Discourse versions 2026.2.0-latest to before 2026.2.2
- Discourse versions 2026.3.0-latest to before 2026.3.0
Discovery Timeline
- 2026-03-31 - CVE-2026-33415 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-33415
Vulnerability Analysis
This vulnerability (CWE-284: Improper Access Control) stems from a missing authorization check in the Discourse AI sentiment analytics controller. The sentiment posts endpoint failed to validate whether the requesting user had permission to access content from specific categories before returning results. This allowed moderator-level users to query the sentiment analytics API and receive data from categories that should have been restricted based on their role permissions.
The attack requires network access and high-level privileges (moderator account), but once these prerequisites are met, exploitation is straightforward with no user interaction required. The impact is limited to confidentiality—attackers can read unauthorized content but cannot modify or delete data.
Root Cause
The root cause is missing category-level authorization filtering in the sentiment posts SQL query within the Discourse AI plugin. The original implementation queried posts and topics based on date ranges and deletion status but did not filter results against the user's allowed category permissions. This oversight allowed the database to return posts from any category, regardless of the requesting user's access rights.
Attack Vector
An authenticated attacker with moderator privileges can exploit this vulnerability by sending crafted requests to the sentiment analytics endpoint. The endpoint accepts parameters such as start_date, end_date, limit, and offset to query sentiment data across posts. Because the query lacked category permission validation, responses would include content from restricted categories alongside permitted ones.
The attack is network-based and requires no user interaction. The attacker simply needs valid moderator credentials and can then enumerate posts across the entire forum, including staff-only, private, or otherwise restricted categories.
((:start_date IS NULL OR p.created_at > :start_date) AND (:end_date IS NULL OR p.created_at < :end_date))
AND p.deleted_at IS NULL
AND t.deleted_at IS NULL
+ AND (t.category_id IS NULL OR t.category_id IN (:allowed_category_ids))
ORDER BY p.created_at DESC
LIMIT :limit OFFSET :offset
SQL
Source: GitHub Commit e1bb146
Detection Methods for CVE-2026-33415
Indicators of Compromise
- Unusual API requests to sentiment analytics endpoints from moderator accounts
- High-volume queries to /discourse_ai/sentiment/ endpoints with broad date ranges
- Access log entries showing moderators retrieving posts from categories outside their permission scope
- Abnormal patterns in sentiment endpoint usage, particularly requests with large limit values or iterative offset parameters
Detection Strategies
- Monitor API access logs for the Discourse AI sentiment controller endpoints
- Implement alerting on moderator accounts making repeated sentiment analytics queries
- Review application logs for SQL queries against the sentiment endpoint that return posts from multiple categories
- Correlate user permission levels with accessed category IDs in response data
Monitoring Recommendations
- Enable detailed access logging for the Discourse AI plugin endpoints
- Set up alerts for moderator accounts querying sentiment data outside normal usage patterns
- Audit moderator activity logs periodically for signs of information gathering
- Consider implementing rate limiting on analytics endpoints to slow potential enumeration attempts
How to Mitigate CVE-2026-33415
Immediate Actions Required
- Upgrade Discourse to patched versions 2026.1.3, 2026.2.2, or 2026.3.0 immediately
- Review access logs for evidence of exploitation attempts prior to patching
- Audit moderator accounts for any suspicious sentiment analytics usage
- Consider temporarily disabling the Discourse AI sentiment feature if immediate patching is not possible
Patch Information
The vulnerability has been patched by adding category-level authorization filtering to the sentiment posts SQL query. The fix adds a condition AND (t.category_id IS NULL OR t.category_id IN (:allowed_category_ids)) that ensures only posts from categories the requesting user is authorized to access are returned. Patched versions are available:
- Version 2026.1.3 for the 2026.1.x branch
- Version 2026.2.2 for the 2026.2.x branch
- Version 2026.3.0 for the 2026.3.x branch
For detailed patch information, see the GitHub Security Advisory GHSA-vj5f-gg8m-93xg.
Workarounds
- Disable the Discourse AI sentiment analytics feature until patching can be completed
- Restrict moderator account access to trusted personnel only
- Implement network-level access controls to limit API endpoint exposure
- Monitor and audit all moderator activity through Discourse admin logs
# Check current Discourse version
cd /var/discourse
./launcher enter app
rails runner "puts Discourse::VERSION::STRING"
# Update to patched version
cd /var/discourse
git pull
./launcher rebuild app
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
