PatchSiren cyber security CVE debrief
CVE-2026-44785 discourse CVE debrief
CVE-2026-44785 is a vulnerability in the Discourse open-source discussion platform. The AI 'explain' helper only checks can_see? on the post being explained, not its reply_to_post. This allows any authenticated user with access to the AI helper to read the raw contents of a hidden parent post by invoking 'Explain' on a reply to it. The affected versions are from 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1. The issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
- Vendor
- discourse
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Discourse, specifically those with authenticated access to the AI helper, should be aware of this vulnerability and take steps to update to a patched version.
Technical summary
The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The weakness is classified as CWE-200.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a patched version of Discourse (2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1) to prevent exploitation of this vulnerability.
Evidence notes
The vulnerability was published on June 12, 2026, and has not been modified since then.
Official resources
-
CVE-2026-44785 CVE record
CVE.org
-
CVE-2026-44785 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-44785 was published on 2026-06-12T21:16:22.180Z.