PatchSiren cyber security CVE debrief
CVE-2026-32244 discourse CVE debrief
A vulnerability in Discourse, an open-source discussion platform, allows outdated cached AI summaries to leak removed content to anonymous and unprivileged users who cannot regenerate summaries. The issue affects versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. The vulnerability stems from improper handling of cached AI-generated summaries when underlying content has been removed or modified, potentially exposing information to users who should not have access. The CVSS 3.1 score of 5.3 (MEDIUM) reflects network accessibility with low attack complexity, no required privileges, and no user interaction needed, with low confidentiality impact. The weakness classifications include CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-524 (Use of Cache Containing Sensitive Information), and CWE-672 (Operation on a Resource after Expiration or Release).
- Vendor
- discourse
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Organizations running self-hosted Discourse instances with AI summarization features enabled; administrators managing content moderation workflows where posts or topics may be removed; security teams concerned with information disclosure through AI-generated artifacts.
Technical summary
The vulnerability exists in Discourse's AI summarization feature where cached summaries are not properly invalidated or refreshed when the underlying source content is removed. Anonymous and unprivileged users who request summaries may receive cached versions containing content they no longer have permission to view, as they cannot trigger summary regeneration. The fix ensures proper cache invalidation or access control checks against cached summaries.
Defensive priority
medium
Recommended defensive actions
- Upgrade Discourse to versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 or later
- If immediate patching is not feasible, restrict summary generation by tightening allowed groups on summarization Personas
- Review and clear existing AI summary caches to remove potentially stale data containing removed content
- Audit access logs for AI summary endpoints to identify potential unauthorized access to cached summaries
- Verify that summarization Persona permissions align with content access controls
Evidence notes
CVE published 2026-05-19T00:16:37.100Z; modified 2026-05-19T14:44:04.023Z. Advisory source: GitHub Security Advisory GHSA-hjmg-2mww-vfvx.
Official resources
-
CVE-2026-32244 CVE record
CVE.org
-
CVE-2026-32244 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-19