CVE-2022-21677: Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group ...

Description

Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as well. However, a group's visibility and the group's members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered in versions prior to 2.7.13 and 2.8.0.beta11 where the group advanced search option does not respect the group's visibility and members visibility level. As such, a group with restricted visibility or members visibility can be revealed through search with the right search option. This issue is patched in `stable` version 2.7.13, `beta` version 2.8.0.beta11, and `tests-passed` version 2.8.0.beta11 versions of Discourse. There are no workarounds aside from upgrading.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

1.17%

63.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Discourse	Discourse	<= 2.7.12	—
Discourse	Discourse	2.8.0	Beta1

References

https://github.com/discourse/discourse/commit/fff8b98485561b12d070c0a8c39f4e503813ab44Patch, Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-768r-ppv4-5r27Third Party Advisory
https://github.com/discourse/discourse/commit/fff8b98485561b12d070c0a8c39f4e503813ab44Patch, Third Party Advisory
https://github.com/discourse/discourse/security/advisories/GHSA-768r-ppv4-5r27Third Party Advisory

Timeline

Published: Jan 14, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-21677?

Discourse is an open source discussion platform. Discourse groups can be configured with varying visibility levels for the group as well as the group members. By default, a newly created group has its visibility set to public and the group's members visibility set to public as well. However, a group's visibility and the group's members visibility can be configured such that it is restricted to logged on users, members of the group or staff users. A vulnerability has been discovered in versions prior to 2.7.13 and 2.8.0.beta11 where the group advanced search option does not respect the group's visibility and members visibility level. As such, a group with restricted visibility or members visibility can be revealed through search with the right search option. This issue is patched in `stable` version 2.7.13, `beta` version 2.8.0.beta11, and `tests-passed` version 2.8.0.beta11 versions of Discourse. There are no workarounds aside from upgrading.

How severe is CVE-2022-21677?

CVE-2022-21677 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 1.17% probability of exploitation in the next 30 days.

How do I fix CVE-2022-21677?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.