{"api_version":"1","generated_at":"2026-07-15T02:47:57+00:00","cve":"CVE-2026-45780","urls":{"html":"https://cve.report/CVE-2026-45780","api":"https://cve.report/api/cve/CVE-2026-45780.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45780","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45780"},"summary":{"title":"Discourse: Private event sample invitees are serialized to non-invited event viewers","description":"Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-09 22:17:04","updated_at":"2026-07-14 20:43:40"},"problem_types":["CWE-200","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7","name":"https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7","refsource":"security-advisories@github.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/releases/tag/v2026.5.1","name":"https://github.com/discourse/discourse/releases/tag/v2026.5.1","refsource":"security-advisories@github.com","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586","name":"https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/releases/tag/v2026.6.0","name":"https://github.com/discourse/discourse/releases/tag/v2026.6.0","refsource":"security-advisories@github.com","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023","name":"https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/releases/tag/v2026.1.5","name":"https://github.com/discourse/discourse/releases/tag/v2026.1.5","refsource":"security-advisories@github.com","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/releases/tag/v2026.4.2","name":"https://github.com/discourse/discourse/releases/tag/v2026.4.2","refsource":"security-advisories@github.com","tags":["Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1","name":"https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730","name":"https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730","refsource":"security-advisories@github.com","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45780","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45780","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"discourse","product":"discourse","version":"affected >= 2026.1.0-latest, < 2026.1.5","platforms":[]},{"source":"CNA","vendor":"discourse","product":"discourse","version":"affected >= 2026.4.0-latest, < 2026.4.2","platforms":[]},{"source":"CNA","vendor":"discourse","product":"discourse","version":"affected >= 2026.5.0-latest, < 2026.5.1","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"45780","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"discourse","cpe5":"discourse","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"45780","cve":"CVE-2026-45780","epss":"0.003990000","percentile":"0.321270000","score_date":"2026-07-14","updated_at":"2026-07-15 00:14:55"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-45780","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-14T01:19:57.759639Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-14T01:20:07.878Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"discourse","vendor":"discourse","versions":[{"status":"affected","version":">= 2026.1.0-latest, < 2026.1.5"},{"status":"affected","version":">= 2026.4.0-latest, < 2026.4.2"},{"status":"affected","version":">= 2026.5.0-latest, < 2026.5.1"}]}],"descriptions":[{"lang":"en","value":"Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-09T22:08:52.125Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7","tags":["x_refsource_CONFIRM"],"url":"https://github.com/discourse/discourse/security/advisories/GHSA-22v7-6wgj-g9f7"},{"name":"https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/37969503f20369eb1712b7b88daedcfb4f63f5f1"},{"name":"https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/4d46638041b5f3d1e1f7f6f6f19c1df3bd65a586"},{"name":"https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/6457ab71f36a2d1440fe96af0a2593897844b023"},{"name":"https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/commit/7deb4b6963442569357b41e61febe37594e5e730"},{"name":"https://github.com/discourse/discourse/releases/tag/v2026.1.5","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/releases/tag/v2026.1.5"},{"name":"https://github.com/discourse/discourse/releases/tag/v2026.4.2","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/releases/tag/v2026.4.2"},{"name":"https://github.com/discourse/discourse/releases/tag/v2026.5.1","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/releases/tag/v2026.5.1"},{"name":"https://github.com/discourse/discourse/releases/tag/v2026.6.0","tags":["x_refsource_MISC"],"url":"https://github.com/discourse/discourse/releases/tag/v2026.6.0"}],"source":{"advisory":"GHSA-22v7-6wgj-g9f7","discovery":"UNKNOWN"},"title":"Discourse: Private event sample invitees are serialized to non-invited event viewers"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-45780","datePublished":"2026-07-09T22:08:52.125Z","dateReserved":"2026-05-13T07:45:21.252Z","dateUpdated":"2026-07-14T01:20:07.878Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-09 22:17:04","lastModifiedDate":"2026-07-14 20:43:40","problem_types":["CWE-200","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-14T01:19:57.759639Z","id":"CVE-2026-45780","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*","versionStartIncluding":"2026.1.0","versionEndExcluding":"2026.1.5","matchCriteriaId":"E41661D7-5D61-44CF-BFEA-57C53057A46F"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*","versionStartIncluding":"2026.4.0","versionEndExcluding":"2026.4.2","matchCriteriaId":"E594AEEC-13D5-48EE-AE07-0C3C25FBBC72"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*","versionStartIncluding":"2026.5.0","versionEndExcluding":"2026.5.1","matchCriteriaId":"CD722A52-B00A-4548-92CA-807CEB0449B0"},{"vulnerable":true,"criteria":"cpe:2.3:a:discourse:discourse:2026.6.0:*:*:*:latest:*:*:*","matchCriteriaId":"F2E7E180-2D99-484E-80A8-12F706ABDE65"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45780","Ordinal":"1","Title":"Discourse: Private event sample invitees are serialized to non-i","CVE":"CVE-2026-45780","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45780","Ordinal":"1","NoteData":"Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.","Type":"Description","Title":"Discourse: Private event sample invitees are serialized to non-i"}]}}}