CVE-2026-44786: Discourse Information Disclosure Flaw

CVE-2026-44786 Overview

CVE-2026-44786 is an information disclosure vulnerability in Discourse, an open-source discussion platform. The flaw exists because chat events for public category channels are published to MessageBus without permission scoping. Any MessageBus subscriber without chat enabled can receive chat message payloads in real time. The issue affects Discourse versions 2026.1.0-latest through 2026.1.4, 2026.3.0-latest through 2026.3.1, and 2026.4.0-latest through 2026.4.1. The vulnerability is classified under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor).

Critical Impact
Unauthenticated network attackers can subscribe to MessageBus channels and passively receive public chat message contents in real time without requiring chat access permissions.

Affected Products

Discourse 2026.1.0-latest through versions before 2026.1.4
Discourse 2026.3.0-latest through versions before 2026.3.1
Discourse 2026.4.0-latest through versions before 2026.4.1

Discovery Timeline

2026-06-12 - CVE-2026-44786 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-44786

Vulnerability Analysis

Discourse uses MessageBus, a real-time pub/sub messaging library, to push live updates to connected clients. Chat features rely on MessageBus channels to deliver new messages, edits, and reactions instantly. The chat plugin publishes events for public category channels through MessageBus without applying permission scoping to the channel subscribers. As a result, any client subscribed to the MessageBus endpoint receives the payloads regardless of whether that client has chat enabled or holds the appropriate access scope. The exposed payloads include chat message content from public category channels, enabling passive eavesdropping on conversations.

Root Cause

The root cause is missing authorization on the publish path of MessageBus chat events. The publishing code did not attach permission scopes to events for public category channels. Without scoping metadata, MessageBus delivers the event to every active subscriber rather than filtering recipients by channel membership or chat capability.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker connects to the target Discourse instance and subscribes to MessageBus updates using standard client polling endpoints. Once subscribed, the attacker receives real-time payloads for public category chat events without first joining the chat channel or holding chat permissions. The attack is passive, leaves minimal forensic evidence, and yields a continuous stream of chat content as long as the subscription remains active.

The vulnerability does not enable modification or destruction of data. Refer to the GitHub Security Advisory GHSA-j7wq-rf5c-8783 for the maintainer's technical description.

Detection Methods for CVE-2026-44786

Indicators of Compromise

Unusual or sustained polling against the /message-bus/ endpoints from clients that have never authenticated or used chat features.
MessageBus subscriber identifiers correlating to IP addresses outside the normal user population.
High-volume long-lived connections to MessageBus from a small number of source IPs.

Detection Strategies

Inspect Discourse application logs and reverse proxy logs for /message-bus/ request patterns that diverge from typical user session behavior.
Correlate MessageBus subscription activity with authenticated session state to identify subscribers without active chat usage.
Apply web application firewall rules to flag anonymous or low-reputation clients establishing persistent MessageBus polling sessions.

Monitoring Recommendations

Track MessageBus subscriber counts over time and alert on anomalous growth that does not correlate with user activity.
Forward Discourse and Nginx logs to a centralized analytics platform for retrospective queries on suspicious subscribers.
Review chat channel access patterns and audit any reports of leaked chat content from public category channels.

How to Mitigate CVE-2026-44786

Immediate Actions Required

Upgrade Discourse to a patched release: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1.
Inventory all Discourse deployments, including staging and archived community instances, and confirm version status.
Treat any previously sent chat content in public category channels as potentially exposed and notify affected community owners.

Patch Information

Discourse has released fixes in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. The patches add permission scoping to chat events published to MessageBus so that only authorized subscribers receive payloads. Patch details are available in the Discourse Security Advisory GHSA-j7wq-rf5c-8783.

Workarounds

No vendor-supplied workaround replaces patching; upgrade as the primary remediation.
Temporarily disable the chat plugin on affected instances if upgrading is not immediately possible.
Restrict public chat channels and migrate sensitive discussions to access-controlled channels until the patch is applied.

bash

# Configuration example: upgrade a standard Discourse Docker deployment
cd /var/discourse
git pull
./launcher rebuild app
# Verify version after rebuild
./launcher logs app | grep -i version