CVE-2026-45780
Discourse: Private event sample invitees are serialized to non-invited event viewers
CVSS Score
5.3
EPSS Score
0.4%
EPSS Percentile
32th
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
| CWE | CWE-200 |
| Vendor | discourse |
| Product | discourse |
| Published | Jul 9, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for discourse discourse
Be the first to know when new medium vulnerabilities affecting discourse discourse are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
discourse / discourse
>= 2026.1.0-latest, < 2026.1.5 >= 2026.4.0-latest, < 2026.4.2 >= 2026.5.0-latest, < 2026.5.1
References
github.com: https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7 github.com: https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1 github.com: https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586 github.com: https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023 github.com: https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730 github.com: https://github.com/discourse/discourse/releases/tag/v2026.1.5 github.com: https://github.com/discourse/discourse/releases/tag/v2026.4.2 github.com: https://github.com/discourse/discourse/releases/tag/v2026.5.1 github.com: https://github.com/discourse/discourse/releases/tag/v2026.6.0