{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T04:16:26.734","vulnerabilities":[{"cve":{"id":"CVE-2026-24742","sourceIdentifier":"security-advisories@github.com","published":"2026-01-28T21:16:11.913","lastModified":"2026-01-30T20:31:42.753","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access."},{"lang":"es","value":"Discourse es una plataforma de discusión de código abierto. En versiones anteriores a 3.5.4, 2025.11.2, 2025.12.1 y 2026.1.0, los moderadores no administradores pueden ver información sensible en los registros de acciones del personal que debería estar restringida solo a los administradores. La información expuesta incluye URL y secretos de carga útil de webhook, detalles de claves API, cambios en la configuración del sitio, contenido de mensajes privados, nombres y estructuras de categorías restringidas, y títulos de canales de chat privados. Esto permite a los moderadores eludir los controles de acceso previstos y extraer datos confidenciales al monitorear los registros de acciones del personal. Con secretos de webhook filtrados, un atacante podría potencialmente falsificar eventos de webhook a servicios integrados. Este problema está parcheado en las versiones 3.5.4, 2025.11.2, 2025.12.1 y 2026.1.0. Como solución alternativa, los administradores del sitio deben revisar y limitar los nombramientos de moderadores a usuarios de plena confianza. No existe una solución alternativa basada en la configuración para evitar este acceso."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*","versionEndExcluding":"3.5.4","matchCriteriaId":"FDBF21E2-1191-4020-A17A-0702DE4E6451"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*","versionStartIncluding":"2025.11.0","versionEndExcluding":"2025.11.2","matchCriteriaId":"539B5B85-44F0-408E-B994-08BB20EA9C26"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:2025.12.0:*:*:*:stable:*:*:*","matchCriteriaId":"CCBF47A8-0D3F-4174-8084-CD3517BF272A"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:2026.1.0:*:*:*:stable:*:*:*","matchCriteriaId":"F6CF5F98-F08F-4B28-BBE2-8296760A547E"}]}]}],"references":[{"url":"https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6","source":"security-advisories@github.com","tags":["Third Party Advisory"]}]}}]}