CVE-2026-23743

Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users

Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

INFO

Published Date :

2026-01-28T20:07:21.266Z

Last Modified :

2026-01-28T21:07:37.739Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-23743 vulnerability.

Vendors	Products
Discourse	Discourse

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23743.

URL	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-v5jw-rxc6-4cvv

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact