BIT-discourse-2026-27153

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-27153.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-discourse-2026-27153

Aliases

CVE-2026-27153
GHSA-5cp2-jq8m-33mf

Published

2026-03-03T13:29:23.447Z

Modified

2026-03-03T14:26:17.319687Z

Summary

Discourse doesn't prevent moderators from exporting user Chat DMs

Details

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in can_export_entity?. The method allowed moderators to export any entity not explicitly blocked instead of restricting to an explicit allowlist. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

Database specific

{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ],
    "severity": "Low"
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

1.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2025.12.2

Introduced

2026.1.0

Fixed

2026.1.1

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-27153.json"