PatchSiren cyber security CVE debrief
CVE-2026-45780 discourse CVE debrief
CVE-2026-45780 is an information disclosure vulnerability in Discourse's EventSerializer. The issue allows users who can view a topic but not the private event invitee list to see invited group names, sample invitees, and attendance statistics. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. The vulnerability arises from inadequate access controls in the EventSerializer, which could expose sensitive information to unauthorized users. Users of Discourse should be aware of this vulnerability and ensure their instances are updated to a fixed version.
- Vendor
- discourse
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Users of Discourse, particularly those with administrative access, should be aware of this vulnerability and ensure their instances are updated to a fixed version. Additionally, users with access to event invitee lists should review and adjust their permissions to prevent unauthorized access. Security teams should monitor for any suspicious activity related to event serialization.
Technical summary
The EventSerializer in Discourse could expose sensitive information, including invited group names, sample invitees, and attendance statistics, to users who do not have the necessary permissions. This issue arises from inadequate access controls in the EventSerializer. The vulnerability has been addressed in Discourse versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. Affected users should update their instances to a fixed version and review user permissions to prevent unauthorized access.
Defensive priority
Medium priority due to the potential for information disclosure, but not currently exploited.
Recommended defensive actions
- Update Discourse to version 2026.6.0, 2026.5.1, 2026.4.2, or 2026.1.5, or later
- Review and adjust user permissions to ensure only authorized access to event invitee lists
- Monitor for any suspicious activity related to event serialization
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-09T22:17:04.770Z and was last modified on 2026-07-10T15:52:29.883Z. The NVD entry is currently Undergoing Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The EventSerializer in Discourse could expose sensitive information, including invited group names, sample invitees, and attendance statistics, to users who do not have the necessary permissions.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T22:17:04.770Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.