Vulnerability Database

309,083

Total vulnerabilities in the database

CVE-2022-21677

Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as well. However, a group's visibility and the group's members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered in versions prior to 2.7.13 and 2.8.0.beta11 where the group advanced search option does not respect the group's visibility and members visibility level. As such, a group with restricted visibility or members visibility can be revealed through search with the right search option. This issue is patched in stable version 2.7.13, beta version 2.8.0.beta11, and tests-passed version 2.8.0.beta11 versions of Discourse. There are no workarounds aside from upgrading.

  • Published: Jan 14, 2022
  • Updated: Nov 16, 2025
  • CVE: CVE-2022-21677
  • Severity: Low
  • Exploit:

CVSS v3:

  • Severity: Low
  • Score: 4.3
  • AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v2:

  • Severity: Medium
  • Score: 5
  • AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

Software From Fixed in
discourse / discourse 2.8.0-beta1 2.8.0-beta1.x
discourse / discourse 2.8.0-beta2 2.8.0-beta2.x
discourse / discourse 2.8.0-beta3 2.8.0-beta3.x
discourse / discourse 2.8.0-beta4 2.8.0-beta4.x
discourse / discourse 2.8.0-beta5 2.8.0-beta5.x
discourse / discourse 2.8.0-beta6 2.8.0-beta6.x
discourse / discourse 2.8.0-beta7 2.8.0-beta7.x
discourse / discourse 2.8.0-beta9 2.8.0-beta9.x
discourse / discourse 2.8.0-beta10 2.8.0-beta10.x
discourse / discourse 2.8.0-beta8 2.8.0-beta8.x
discourse / discourse - 2.7.12.x