BIT-discourse-2026-49256: Discourse: Hidden tag names leaked via category serializers
Discourse versions prior to 2026.1.5, 2026.4.2, and 2026.5.1 could leak restricted tag and tag-group names via category and group endpoints to unauthorized and anonymous users. This information disclosure affects tags attached to publicly readable categories. The issue is fixed in versions 2026.1.5, 2026.4.2, and 2026.5.1 and later.
AI Analysis
Technical Summary
A vulnerability in Discourse discussion platform versions before 2026.1.5, 2026.4.2, and 2026.5.1 allows leakage of restricted tag and tag-group names (allowed_tags, allowed_tag_groups, required tag groups) associated with publicly readable categories. These tag names could be accessed by anonymous and unauthorized users through category and group API endpoints. The issue has been addressed and fixed in the specified patched versions.
Potential Impact
Unauthorized and anonymous users could obtain restricted tag and tag-group names that were intended to be hidden, potentially revealing internal categorization or tagging schemes. There is no indication of further exploitation or direct system compromise from this leakage. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade Discourse to version 2026.1.5, 2026.4.2, 2026.5.1, or later where this issue is fixed. No other mitigation is required as the vulnerability is resolved in these official releases.
BIT-discourse-2026-49256: Discourse: Hidden tag names leaked via category serializers
Description
Discourse versions prior to 2026.1.5, 2026.4.2, and 2026.5.1 could leak restricted tag and tag-group names via category and group endpoints to unauthorized and anonymous users. This information disclosure affects tags attached to publicly readable categories. The issue is fixed in versions 2026.1.5, 2026.4.2, and 2026.5.1 and later.
Affected software
pkg:bitnami/discourseRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
A vulnerability in Discourse discussion platform versions before 2026.1.5, 2026.4.2, and 2026.5.1 allows leakage of restricted tag and tag-group names (allowed_tags, allowed_tag_groups, required tag groups) associated with publicly readable categories. These tag names could be accessed by anonymous and unauthorized users through category and group API endpoints. The issue has been addressed and fixed in the specified patched versions.
Potential Impact
Unauthorized and anonymous users could obtain restricted tag and tag-group names that were intended to be hidden, potentially revealing internal categorization or tagging schemes. There is no indication of further exploitation or direct system compromise from this leakage. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade Discourse to version 2026.1.5, 2026.4.2, 2026.5.1, or later where this issue is fixed. No other mitigation is required as the vulnerability is resolved in these official releases.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- BIT-discourse-2026-49256
- Osv Schema Version
- 1.6.2
- Aliases
- ["CVE-2026-49256"]
- Ecosystems
- ["Bitnami"]
- Database Specific Severity
- Medium
- Cvss Version
- null
Threat ID: 6a58b51a68715ace43db45a1
Added to database: 07/16/2026, 10:40:26 UTC
Last enriched: 07/16/2026, 14:29:54 UTC
Last updated: 07/16/2026, 19:47:32 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.