Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared include_user_long_name? as the predicate for its :name attribute, but AMS looks for include_name?. The misnamed predicate was never called, so object.user.name was always serialized regardless of SiteSetting.enable_names. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected products
- discourse / discourse>= 2026.1.0-latest, < 2026.1.4 – >= 2026.1.0-latest, < 2026.1.4
- discourse / discourse>= 2026.3.0-latest, < 2026.3.1 – >= 2026.3.0-latest, < 2026.3.1
- discourse / discourse>= 2026.4.0-latest, < 2026.4.1 – >= 2026.4.0-latest, < 2026.4.1