PatchSiren cyber security CVE debrief
CVE-2026-47264 discourse CVE debrief
CVE-2026-47264 is an information disclosure vulnerability in Discourse's DetailedTagSerializer. Versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 are affected. The vulnerability allows anonymous and unprivileged users to read the names of tag groups restricted to specific user groups or non-visible categories when SiteSetting.tags_listed_by_group is enabled.
- Vendor
- discourse
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Discourse, especially those with SiteSetting.tags_listed_by_group enabled, should be aware of this vulnerability and take action to patch their installations.
Technical summary
The DetailedTagSerializer#tag_group_names method returned every tag group a tag belonged to without filtering against the requesting user's visibility. This allowed unauthorized access to sensitive information.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to a patched version of Discourse (2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1) to fix the vulnerability.
Evidence notes
The vulnerability was patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.
Official resources
-
CVE-2026-47264 CVE record
CVE.org
-
CVE-2026-47264 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-47264 was published on 2026-06-12T21:16:23.680Z.