CVE-2026-32618
Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id
4.3
MEDIUM
CVSS 3.1
EPSS 0.05%
Description
Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
How to fix CVE-2026-32618
To remediate CVE-2026-32618, upgrade the affected package to a fixed version below.
- —upgrade to 2026.1.3 or later
Is CVE-2026-32618 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2026.1.0, < 2026.1.3, >= 2026.2.0, < 2026.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |