Discourse ComposerController Mentions Leak: Hidden Group Membership v<2026.3
CVE-2026-31869 Published on March 20, 2026

Discourse: Composer mentions endpoint leaks hidden group membership through PM `allowed_names` check
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerController#mentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowed_names referencing a hidden-membership group and probing arbitrary usernames, an attacker can infer membership based on whether user_reasons returns "private" for a given user. This bypasses group member-visibility controls. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. To work around this issue, restrict the messageable policy of any hidden-membership group to staff or group members only, so untrusted users cannot reach the vulnerable code path.

NVD

Weakness Types

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2026-31869 has been classified to as an Information Disclosure vulnerability or weakness.

What is an AuthZ Vulnerability?

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CVE-2026-31869 has been classified to as an AuthZ vulnerability or weakness.

What is an Insecure Direct Object Reference / IDOR Vulnerability?

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVE-2026-31869 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.


Products Associated with CVE-2026-31869

Want to know whenever a new CVE is published for Discourse? stack.watch will email you.

Discourse
 

Affected Versions

discourse: