CVE-2026-24742

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24742
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24742.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24742
Aliases
Published
2026-01-28T20:11:30.982Z
Modified
2026-03-01T02:57:20.925027Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Discourse staff action logs expose sensitive information to moderators
Details

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24742.json"
}
References

Affected packages

Git / github.com/discourse/discourse

Affected ranges

Type
GIT
Repo
https://github.com/discourse/discourse
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
78a28cf8d4af429df45c8c48225be125193e5d7a
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.5.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/discourse/discourse
Events
Introduced
75d61b40ee928a4620b16f5438ca886678fab00d
Fixed
f31b18139a7aadbc4a5f7e8e565a6f4376010c3a
Database specific 
{
    "versions": [
        {
            "introduced": "2025.11.0-latest"
        },
        {
            "fixed": "2025.11.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/discourse/discourse
Events
Introduced
3e7317b3344cca6c6510a32cc4c5c0f540132ad9
Fixed
a06dd5861f88643107c9c534a3e75ce4c5fe4bec
Database specific 
{
    "versions": [
        {
            "introduced": "2025.12.0-latest"
        },
        {
            "fixed": "2025.12.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/discourse/discourse
Events
Introduced
322d3c0ac6a8f133b3f82875e9dbbe310f638c1b
Fixed
322d3c0ac6a8f133b3f82875e9dbbe310f638c1b
Database specific 
{
    "versions": [
        {
            "introduced": "2026.1.0-latest"
        },
        {
            "fixed": "2026.1.0"
        }
    ]
}

Affected versions

Other
beta
latest-release
release
v2025.*
v2025.11.0
v2025.11.1
v2025.12.0
v2025.12.0-latest
v2026.*
v2026.1.0-latest

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24742.json"