CVE-2026-44782: Discourse Information Disclosure Flaw

CVE-2026-44782 Overview

CVE-2026-44782 is an information disclosure vulnerability in Discourse, an open-source discussion platform. The flaw exists in GroupPostSerializer, where a misnamed predicate method caused the enable_names site setting to be ignored. As a result, object.user.name was always serialized in group post responses, regardless of administrator configuration. Authenticated users could retrieve full names of other users even when the platform was configured to hide them. The issue affects Discourse versions 2026.1.0 through 2026.1.4, 2026.3.0 through 2026.3.1, and 2026.4.0 through 2026.4.1. The vulnerability is categorized under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor).

Critical Impact
Authenticated users can access user full names through group post APIs even when SiteSetting.enable_names is disabled, breaking expected privacy controls.

Affected Products

Discourse versions 2026.1.0-latest to before 2026.1.4
Discourse versions 2026.3.0-latest to before 2026.3.1
Discourse versions 2026.4.0-latest to before 2026.4.1

Discovery Timeline

2026-06-12 - CVE-2026-44782 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-44782

Vulnerability Analysis

The vulnerability resides in Discourse's GroupPostSerializer, a Ruby class used to serialize group post data for API responses. Discourse uses the Active Model Serializers (AMS) library, which supports conditional attribute inclusion through predicate methods. AMS expects a predicate named include_<attribute>? to decide whether to include an attribute in serialized output.

For the :name attribute, GroupPostSerializer declared the predicate as include_user_long_name? instead of the expected include_name?. AMS never invoked the misnamed method during serialization. Without a matching predicate, AMS defaulted to always including the :name attribute in the output.

This behavior bypassed the SiteSetting.enable_names configuration, which administrators use to control whether real names are exposed to other users. Forums that explicitly disabled name display continued to leak this data through group post endpoints.

Root Cause

The root cause is a naming mismatch between the predicate method defined in GroupPostSerializer and the convention enforced by Active Model Serializers. The misnamed include_user_long_name? predicate was dead code, leaving the :name attribute permanently included.

Attack Vector

An authenticated low-privilege user submits a request to an affected group post endpoint. The serialized response contains the name field for each user, exposing real names that administrators configured to hide. No special privileges or user interaction beyond standard authentication are required.

No verified exploit code is publicly available. Refer to the GitHub Security Advisory for technical details from the maintainers.

Detection Methods for CVE-2026-44782

Indicators of Compromise

API responses from group post endpoints containing a populated name field while enable_names is set to false in site settings.
Unusual volumes of requests to group post JSON endpoints from a single authenticated session.
Access patterns enumerating multiple groups or posts to harvest user identity data.

Detection Strategies

Review application logs for authenticated requests to group post endpoints and correlate response payloads against the enable_names configuration.
Compare the running Discourse version against the fixed releases 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Inspect serialized JSON output from GroupPostSerializer for the presence of name when name display should be disabled.

Monitoring Recommendations

Enable verbose access logging on Discourse API endpoints and forward logs to a centralized analytics platform for query and alerting.
Alert on rapid sequential enumeration of group post resources by a single user account.
Track configuration drift on the enable_names site setting to ensure privacy controls remain enforced.

How to Mitigate CVE-2026-44782

Immediate Actions Required

Upgrade Discourse to a patched release: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1.
Audit historical API access logs to identify accounts that may have collected user name data while the flaw was present.
Notify users whose real names may have been exposed if your deployment relied on enable_names being disabled.

Patch Information

Discourse has released patches in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. The fix renames the predicate in GroupPostSerializer so that AMS correctly evaluates whether to include the :name attribute based on the SiteSetting.enable_names configuration. See the GitHub Security Advisory GHSA-h3mq-9r6w-h33j for full details.

Workarounds

No official workaround is documented. Upgrading to a patched version is the recommended remediation.
Where immediate upgrade is not feasible, restrict access to group post endpoints through reverse proxy rules or limit authenticated user permissions to reduce exposure.
Communicate the privacy gap to users until patching is complete.

bash

# Verify your Discourse version after upgrading
cd /var/discourse
./launcher logs app | grep -i version
# Confirm the running version is 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1