CVE-2026-21865
📋 TL;DR
This vulnerability allows moderators in Discourse to improperly convert private personal messages into public topics, violating user privacy expectations. It affects Discourse instances running versions before 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. Only users with moderator privileges can exploit this issue.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Sensitive private conversations containing personal information, credentials, or confidential business discussions are exposed to all forum users, leading to privacy violations, reputational damage, and potential regulatory compliance issues.
Likely Case
Moderators accidentally or intentionally expose private conversations, causing user privacy violations, trust erosion, and potential data protection regulation violations.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated incidents that can be quickly detected and contained.
🎯 Exploit Status
Exploitation requires authenticated moderator access. The vulnerability is an authorization bypass where moderators can perform actions they shouldn't be authorized to do.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39
Restart Required: Yes
Instructions:
1. Backup your Discourse instance and database. 2. Update Discourse to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 using your preferred deployment method (Docker, manual, etc.). 3. Restart the Discourse application. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Revoke moderator privileges
allTemporarily remove moderator role from untrusted users until patching is complete
# In Discourse admin panel: Admin > Users > Select user > Edit > Remove from moderator group
Modify personal message settings
allRemove moderator group from personal message enabled groups
# In Discourse admin panel: Admin > Settings > personal_message_enabled_groups > Remove moderator group
🧯 If You Can't Patch
- Implement strict monitoring of moderator actions, particularly personal message conversions
- Reduce number of moderators to only essential, trusted personnel
🔍 How to Verify
Check if Vulnerable:
Check Discourse version in admin panel or via command: `cd /var/discourse && ./launcher status app`Check Version:
cd /var/discourse && cat containers/app.yml | grep versionVerify Fix Applied:
Confirm version is 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 in admin interface📡 Detection & Monitoring
Log Indicators:
- Moderator actions converting personal messages to topics
- Unexpected topic creation from private messages
Network Indicators:
- API calls to convert personal messages by moderator accounts
SIEM Query:
source="discourse" action="convert_to_public_topic" user_role="moderator"