CVE-2026-23743
📋 TL;DR
This vulnerability in Discourse allows attackers to obtain sensitive information about private resources through URL redirects. When users without proper permissions access permalinks to restricted content, the system leaks information via redirect headers and error pages. All Discourse instances running vulnerable versions are affected.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map out all private discussions, categories, and hidden tags, potentially exposing confidential business information, private conversations, or sensitive organizational structures.
Likely Case
Information disclosure of private topic titles, category names, and hidden tag information, allowing attackers to infer sensitive organizational details or discussion topics.
If Mitigated
With proper access controls and monitoring, the impact is limited to information leakage rather than data modification or system compromise.
🎯 Exploit Status
Exploitation requires access to permalinks but no authentication. Simple HTTP requests can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-v5jw-rxc6-4cvv
Restart Required: Yes
Instructions:
1. Backup your Discourse instance. 2. Update to one of the patched versions using your deployment method (Docker, manual, etc.). 3. Restart the application. 4. Verify the update completed successfully.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the Discourse instance.
- Monitor logs for unusual access patterns to permalink URLs and implement alerting.
🔍 How to Verify
Check if Vulnerable:
Check your Discourse version against the vulnerable versions. If running a version older than the patched versions, you are vulnerable.Check Version:
docker exec -it discourse cat /home/discourse/discourse/VERSION (for Docker deployments) or check the admin dashboard version info.Verify Fix Applied:
After updating, test that accessing permalinks to private resources returns proper access denied messages without leaking information in redirects or error pages.📡 Detection & Monitoring
Log Indicators:
- Multiple 404 responses to permalink URLs
- Access to URLs containing private resource slugs from unauthorized users
Network Indicators:
- HTTP 302 redirects to URLs containing private resource information
- Unusual patterns of permalink access
SIEM Query:
source="discourse-logs" AND (status=404 OR status=302) AND uri CONTAINS "/t/" AND NOT user_agent="internal"