CVE-2021-41082
7.5 HIGHDiscourse is a platform for community discussion
Published: 2021-09-20 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-200, CWE-863
Affected products
| Vendor | Product |
|---|---|
| discourse | discourse |
Description
Discourse is a platform for community discussion. In affected versions any private message that includes a group had its title and participating user exposed to users that do not have access to the private messages. However, access control for the private messages was not compromised as users were not able to view the posts in the leaked private message despite seeing it in their inbox. The problematic commit was reverted around 32 minutes after it was made. Users are encouraged to upgrade to the latest commit if they are running Discourse against the `tests-passed` branch.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41082
- [Patch]https://github.com/discourse/discourse/commit/27bad28c530c89acab35a56b945b6a3924280f4b
- [Patch]https://github.com/discourse/discourse/commit/ddb458343dc39a7a8c99467dcd809b444514fe2c
- [Other]https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv
- [Patch]https://github.com/discourse/discourse/commit/27bad28c530c89acab35a56b945b6a3924280f4b
- [Patch]https://github.com/discourse/discourse/commit/ddb458343dc39a7a8c99467dcd809b444514fe2c
- [Other]https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv
Related CVEs
Same vendor
- CVE-2026-34154 — Discourse is an open-source discussion platform (5.3 MEDIUM)
- CVE-2026-33514 — Discourse is an open-source discussion platform (4.3 MEDIUM)
- CVE-2026-32244 — Discourse is an open-source discussion platform (5.3 MEDIUM)
- CVE-2021-41163 — Discourse is an open source platform for community discussion (10.0 CRITICAL)
- CVE-2021-41140 — Discourse-reactions is a plugin for the Discourse platform that allows user to add their reactions to the post (5.3 MEDIUM)
Same CWE
- CVE-2026-12117 — Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to ...
- CVE-2026-53860 — OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries... (4.2 MEDIUM)
- CVE-2026-53855 — OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks ... (8.1 HIGH)
- CVE-2026-53854 — OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows sender... (6.5 MEDIUM)
- CVE-2026-53853 — OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowe... (8.3 HIGH)