Discourse GrpPostSer: Misnamed Predicate Leaks Names (v2026.1.0-<2026.1.4)
CVE-2026-44782 Published on June 12, 2026
Discourse: GroupPostSerializer leaks hidden full names through reaction post association
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared include_user_long_name? as the predicate for its :name attribute, but AMS looks for include_name?. The misnamed predicate was never called, so object.user.name was always serialized regardless of SiteSetting.enable_names. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Vulnerability Analysis
CVE-2026-44782 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2026-44782 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2026-44782
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version >= 2026.1.0-latest, < 2026.1.4 is affected.
- Version >= 2026.3.0-latest, < 2026.3.1 is affected.
- Version >= 2026.4.0-latest, < 2026.4.1 is affected.