CVE-2026-33514— Discourse: Information Disclosure in Form Template API Due to Missing Authorization
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33514
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Discourse: Information Disclosure in Form Template API Due to Missing Authorization
Source: NVD (National Vulnerability Database)
Vulnerability Description
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33514
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33514
请登录查看更多情报信息。
Same Patch Batch · discourse · 2026-05-19 · 3 CVEs total
| CVE-2026-32244 | 5.3 MEDIUM | Discourse: Cached outdated summaries can leak removed content |
| CVE-2026-34154 | Discourse has a subscription access bypass in its discourse-subscriptions plugin |
IV. Related Vulnerabilities
Same product: discourse
- CVE-2026-34154
Discourse has a subscription access bypass in its discourse- - CVE-2026-32244
Discourse: Cached outdated summaries can leak removed conten - CVE-2026-34947
Discourse: Staged user custom fields are exposed on public i - CVE-2026-27481
Discourse: Hidden tag visibility bypass on tag routes - CVE-2026-33415
Discourse: Improper Access Control in discourse-ai Allows Un
Same vendor: discourse
- CVE-2026-34154
Discourse has a subscription access bypass in its discourse- - CVE-2026-32244
Discourse: Cached outdated summaries can leak removed conten - CVE-2026-34947
Discourse: Staged user custom fields are exposed on public i - CVE-2026-27481
Discourse: Hidden tag visibility bypass on tag routes - CVE-2026-33415
Discourse: Improper Access Control in discourse-ai Allows Un
Same weakness: CWE-862
- CVE-2026-33137
XWiki Platform has an Unauthenticated XAR Import via REST /w - CVE-2026-21836
HCL DominoIQ is affected by broken access control - CVE-2026-27405
WordPress WpBookingly plugin <= 1.2.9 - Broken Access Contro - CVE-2026-27424
WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6 - CVE-2026-45443
WordPress PDF for Elementor Forms + Drag And Drop Template B
V. Comments for CVE-2026-33514
No comments yet