PatchSiren cyber security CVE debrief
CVE-2026-44782 discourse CVE debrief
CVE-2026-44782 is a vulnerability in Discourse, an open-source discussion platform. The issue involves an incorrect predicate in GroupPostSerializer, leading to unintended serialization of user names. Versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 are affected. The vulnerability has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
- Vendor
- discourse
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Discourse, specifically those running versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, should be aware of this vulnerability and take steps to update to a patched version.
Technical summary
The GroupPostSerializer in Discourse incorrectly used the predicate 'include_user_long_name?' instead of 'include_name?'. This mistake led to the serialization of object.user.name regardless of the SiteSetting.enable_names configuration. The CVSS score for this vulnerability is 4.3, indicating a Medium severity.
Defensive priority
Medium
Recommended defensive actions
- Update to a patched version of Discourse: 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1.
Evidence notes
CVE-2026-44782 was published on 2026-06-12T21:16:21.780Z and has a CVSS score of 4.3. The vulnerability was patched in multiple versions of Discourse.
Official resources
-
CVE-2026-44782 CVE record
CVE.org
-
CVE-2026-44782 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This CVE debrief was generated based on the provided source corpus and official links, following strict guidelines to ensure accuracy and relevance.