CVE-2026-27934
Published: 19 March 2026
Summary
CVE-2026-27934 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Discourse Discourse. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations for access to information, addressing the lack of visibility checks in the user action API endpoint that enabled unauthorized disclosure of titles and post excerpts.
Specifically monitors for potential information disclosures, enabling identification of unauthorized access to restricted content via the vulnerable API endpoint.
Applies least privilege to restrict user access to only necessary resources, limiting the scope of information disclosure even with incomplete visibility enforcement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated remote information disclosure vulnerability in the public-facing Discourse web application/API, which is directly exploitable using T1190 (Exploit Public-Facing Application) to access restricted content.
NVD Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to…
more
information disclosure. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Deeper analysisAI
CVE-2026-27934 is an information disclosure vulnerability in Discourse, an open-source discussion platform. It stems from a lack of visibility checks in a user action API endpoint, which allows unauthorized users to access the title and post excerpt of otherwise restricted content. The issue affects all versions of Discourse prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, and is classified under CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited remotely over the network by any unauthenticated attacker with low complexity and no user interaction required. Successful exploitation enables the attacker to disclose sensitive titles and post excerpts that should not be visible to them, potentially revealing private or moderated discussion content across the platform.
According to the advisory, Discourse has patched the vulnerability in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. No known workarounds are available. Security practitioners should prioritize upgrading affected installations. For full details, refer to the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-824f-66wh-xx3g.
Details
- CWE(s)