PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45085 discourse CVE debrief

CVE-2026-45085 is a MEDIUM-severity vulnerability (CVSS Score: 5.3) affecting the Discourse open-source discussion platform. Specifically, it impacts sites with the chat plugin enabled, and additionally requires discourse-calendar for the calendar issue. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues were found: read-only category users could create chat threads, self-deleted chat messages could be restored by their author after channel access was revoked, moderators reviewing a flagged chat message were shown the channel's current last_message (often unrelated DM content), and calendar event payloads exposed the attached chat channel and its last message to viewers without chat access (including anonymous users). These issues have been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Vendor
discourse
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-12
Original CVE updated
2026-06-12
Advisory published
2026-06-12
Advisory updated
2026-06-12

Who should care

Sites using the Discourse platform with the chat plugin enabled, particularly those with read-only category users or moderators, should be aware of this vulnerability. Users of discourse-calendar are also affected by the calendar-specific issue.

Technical summary

The vulnerability involves multiple issues in the Discourse chat plugin: improper authorization allowing read-only users to create chat threads, improper handling of deleted messages allowing authors to restore them after access revocation, exposure of unrelated DM content to moderators reviewing flagged messages, and exposure of chat channel information through calendar event payloads.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update to a patched version (2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1) if using an affected version of Discourse with the chat plugin enabled.
  • Review and restrict chat plugin access and permissions, especially for read-only category users and moderators.

Evidence notes

CVE-2026-45085 was published on 2026-06-12T21:16:23.123Z and has a CVSS Score of 5.3, indicating a MEDIUM severity vulnerability.

Official resources

CVE-2026-45085 was published on 2026-06-12T21:16:23.123Z.