CVE-2026-33514 Overview
CVE-2026-33514 is a missing authorization vulnerability [CWE-862] in Discourse, an open-source discussion platform. The flaw affects instances with the form templates feature enabled. An authenticated user can read the name and structured content of form templates assigned to categories they are not authorized to access.
The impact is limited to disclosure of site configuration metadata. The issue is fixed in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Critical Impact
Authenticated users can enumerate form template names and structured content tied to restricted categories, exposing site configuration metadata.
Affected Products
- Discourse versions prior to 2026.1.4
- Discourse versions prior to 2026.3.1 on the 2026.3 branch
- Discourse versions prior to 2026.4.1 on the 2026.4 branch, and 2026.5.0-latest.1 on the latest branch
Discovery Timeline
- 2026-05-19 - CVE CVE-2026-33514 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-33514
Vulnerability Analysis
Discourse provides a form templates feature that lets administrators define structured input forms for specific categories. Templates can contain field definitions, default values, and category-specific configuration metadata.
In affected versions, the API endpoint serving form template data did not validate whether the requesting user had permission to view the associated category. An authenticated user could request template records linked to restricted categories and receive the template name and structured content in the response.
The exposed data is limited to template definitions and site configuration metadata. The vulnerability does not disclose user content, posts, or private messages contained in restricted categories.
Root Cause
The root cause is a missing authorization check [CWE-862] in the form templates retrieval path. The code returned template records without first verifying that the user could access the categories scoped to those templates. Category-level access control was applied for posts and topics but was not extended to the form templates association.
Attack Vector
The attack requires network access and a valid low-privilege account on the target Discourse instance. The attacker queries the form templates endpoint and receives template data for categories outside their authorization scope. No user interaction is required beyond standard authenticated API calls. The technique is documented in the GitHub Security Advisory GHSA-w6g7-p2p9-2m5h.
Detection Methods for CVE-2026-33514
Indicators of Compromise
- Repeated authenticated requests to form template API endpoints from a single account enumerating multiple template identifiers.
- Authenticated accounts retrieving template metadata for categories outside their group membership.
- Spikes in 200-OK responses to form template endpoints originating from non-staff accounts.
Detection Strategies
- Review Discourse application logs for authenticated requests to form template routes correlated against the requesting user's category permissions.
- Compare returned template identifiers against the categories each user is authorized to view to surface unauthorized disclosures.
- Alert on user accounts retrieving template data at a rate inconsistent with normal forum interaction.
Monitoring Recommendations
- Forward Discourse Rails and reverse proxy access logs to a centralized log platform for retention and query.
- Build a dashboard tracking form template endpoint usage segmented by user trust level and account age.
- Establish a baseline of normal template access patterns and alert on deviations from authenticated low-privilege users.
How to Mitigate CVE-2026-33514
Immediate Actions Required
- Upgrade Discourse to 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 depending on the deployed branch.
- Audit historical access logs for unauthorized form template retrieval since the form templates feature was enabled.
- Review form template content and remove any sensitive configuration data that should not be visible to all authenticated users.
Patch Information
The Discourse team committed the fix in the upstream repository. See the GitHub Commit ae5c9570fb918442c4d96abc83c1e7e169909b02 for the code change and the GitHub Security Advisory GHSA-w6g7-p2p9-2m5h for vendor guidance. Patched releases enforce category-level authorization before returning form template data.
Workarounds
- Disable the form templates feature in site settings until the upgrade is applied.
- Remove form templates from sensitive categories and store the data outside Discourse until patched.
- Restrict account creation and require staff approval to limit the population of authenticated users able to query the endpoint.
# Verify Discourse version after upgrade
cd /var/discourse
./launcher logs app | grep -i version
# Confirm the running version matches 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
