Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, DetailedTagSerializer#tag_group_names returned every tag group a tag belonged to without filtering against the requesting user's visibility. With SiteSetting.tags_listed_by_group enabled, anonymous and unprivileged users hitting TagsController#info (which is exempt from requires_login) could read the names of tag groups restricted to specific user groups or non-visible categories. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected products
- discourse / discourse>= 2026.1.0-latest, < 2026.1.4 – >= 2026.1.0-latest, < 2026.1.4
- discourse / discourse>= 2026.3.0-latest, < 2026.3.1 – >= 2026.3.0-latest, < 2026.3.1
- discourse / discourse>= 2026.4.0-latest, < 2026.4.1 – >= 2026.4.0-latest, < 2026.4.1