_Discovered: November 2022_  
_Affected Software: Discourse (open source discussion platform)_

Introduction

Discourse is a popular open source forum platform known for hosting vibrant, secure online communities. In late 2022, security researchers discovered a serious vulnerability (CVE-2022-39385) affecting how Discourse handles user invitations, potentially exposing private message threads to unintended users. Even though this bug triggered in rare cases, the invisible nature of the leak made it especially risky for communities relying on private messaging.

In this post, we’ll break down what CVE-2022-39385 is, how it manifests, peek at the code behind it, see how to mitigate, and give all the references you need to stay secure.

What Exactly is the Vulnerability?

When a user gets invited to a Discourse forum via a special invitation link, the platform automates their onboarding. However, because of a code logic bug, _sometimes_ these new users were mistakenly added as participants in pre-existing private message threads (PMs), which they were not supposed to access.

Example Scenario

Suppose Alice and Bob exchange confidential messages. Later, a forum moderator sends out several invitation links for new users using Discourse's standard invitation system. Due to this bug, some of these fresh users might silently gain access to Alice and Bob’s private messages.

Under the Hood: Where’s the Bug?

The vulnerability comes down to how Discourse processes invitations and participant lists for private message topics.

In the code, when an invitation is redeemed, the system calls a handler to check if the user needs to be attached to certain topics. Bugs in this handler could lead to unintentional permission grants.

Relevant Fix Commit:  
a414520742

Vulnerable Code Snippet (pseudo-code style for clarity)

def redeem_invite(invite)
  # ... user onboarding logic ...
  invite.redeem
  process_private_topics_for_user(invite.user)
end

def process_private_topics_for_user(user)
  topic_ids = fetch_invited_topic_ids(user)
  # BUG: topic_ids may include topics the user should NOT be added to
  topic_ids.each do |topic_id|
    add_user_to_topic(user, topic_id)
  end
end


Here, fetch_invited_topic_ids(user) could be too broad in some edge cases, resulting in unauthorized PM access.

No complex hacking was needed—just redeeming a crafted invitation at the right time.

2. If system state aligns with the bug’s trigger condition, user is silently added to other users’ private messages.

Official Patch and Mitigation

Fixed In:  
- Commit a414520742

Will be part of future stable releases after November 2022.

Immediate Mitigation:  
- Administrators should set the site setting max_invites_per_day to until patched, disabling new invites.

Upgrade to the latest Discourse release including the above commit.

Conclusion and Recommendations

Private conversations are the backbone of trust in community platforms. CVE-2022-39385 showed how even rarely triggered bugs can lead to serious information leaks.

Disable invitations if you cannot patch right away.

- Educate moderators/admins to watch for suspicious new users and PM access patterns.

References

- Original Advisory on GitHub
- Official Patch Commit a414520742
- Discourse Security Fix Notes
- CVE Record

Stay vigilant, update often. If you run Discourse, don't ignore this bug!

*If you liked this detailed breakdown, share with your sysadmin or Discourse community leader.*

Timeline

Published on: 11/14/2022 21:15:00 UTC
Last modified on: 11/17/2022 20:24:00 UTC