CVE-2026-33514
Discourse: Information Disclosure in Form Template API Due to Missing Authorization
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
| CWE | CWE-862 |
| Vendor | discourse |
| Product | discourse |
| Published | May 19, 2026 |
| Last Updated | May 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for discourse discourse
Be the first to know when new unknown vulnerabilities affecting discourse discourse are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
discourse / discourse
< 2026.1.4 >= 2026.3.0-latest, < 2026.3.1 >= 2026.4.0-latest, < 2026.4.1 >= 2026.5.0-latest , < 2026.5.0-latest.1