CVE-2026-24742
📋 TL;DR
This CVE allows non-admin moderators in Discourse to view sensitive information in staff action logs that should be restricted to administrators only. The exposed data includes webhook secrets, API keys, private messages, and confidential configuration details. All Discourse instances with non-admin moderators running affected versions are vulnerable.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to webhook secrets and API keys, enabling them to spoof webhook events to integrated services, access private communications, and extract sensitive configuration data leading to full system compromise.
Likely Case
Moderators with malicious intent or compromised accounts access confidential information including private messages, API keys, and webhook secrets, potentially leading to data breaches and unauthorized system access.
If Mitigated
With proper access controls and trusted moderators only, the risk is limited to accidental exposure of sensitive information to authorized personnel.
🎯 Exploit Status
Exploitation requires moderator-level access. Attackers simply need to access the staff action logs interface which is available to moderators by default in affected versions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6
Restart Required: Yes
Instructions:
1. Backup your Discourse instance. 2. Update to Discourse version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 or later. 3. Restart the Discourse application. 4. Verify the update was successful.
🔧 Temporary Workarounds
Limit Moderator Appointments
allReview and limit moderator appointments to fully trusted users only as a temporary measure until patching.
🧯 If You Can't Patch
- Immediately review all moderator appointments and remove any non-essential or untrusted moderators
- Implement additional monitoring of moderator activity and staff action log access
🔍 How to Verify
Check if Vulnerable:
Check your Discourse version. If it's earlier than 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0, you are vulnerable.Check Version:
Check Discourse admin panel or run: `cd /var/discourse && ./launcher status app`Verify Fix Applied:
After updating, verify the version is 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 or later, and test that non-admin moderators can no longer access sensitive information in staff action logs.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to staff action logs by non-admin users
- Multiple requests to staff action log endpoints from moderator accounts
Network Indicators:
- Increased traffic to staff action log API endpoints
SIEM Query:
source="discourse" AND (uri_path="/admin/logs/staff_action_logs" OR uri_path CONTAINS "staff_action") AND user_role="moderator"