CVE-2026-33514 discourse CVE debrief

Who should care

Discourse instance administrators, particularly those with multi-category deployments using form templates for structured data collection. Organizations with category-restricted templates containing sensitive field schemas or internal naming conventions.

Technical summary

The vulnerability exists in Discourse's form templates feature implementation where authorization checks for category-restricted templates are improperly enforced. Authenticated users can query template metadata across category boundaries, exposing template names and structured field definitions. The issue stems from missing authorization validation in template retrieval endpoints. Remediation involves upgrading to versions that implement proper category-scoped access controls for template metadata.

Defensive priority

medium

Recommended defensive actions

• Upgrade Discourse to patched versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1
• If immediate patching is not feasible, evaluate whether the form templates feature can be temporarily disabled
• Review access logs for unusual template metadata access patterns by authenticated users
• Verify category permission configurations are correctly enforced after patching

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-w6g7-p2p9-2m5h with associated commit ae5c9570fb918442c4d96abc83c1e7e169909b02. CVSS 4.0 vector indicates network attack vector with low attack complexity, privileged access requirement, and high confidentiality impact to vulnerable component. CWE-862 (Missing Authorization) classified as primary weakness. NVD status 'Undergoing Analysis' as of 2026-05-19T14:44:04Z.

Official resources