_Discovered: November 2022_
_Affected Software: Discourse (open source discussion platform)_
Introduction
Discourse is a popular open source forum platform known for hosting vibrant, secure online communities. In late 2022, security researchers discovered a serious vulnerability (CVE-2022-39385) affecting how Discourse handles user invitations, potentially exposing private message threads to unintended users. Even though this bug triggered in rare cases, the invisible nature of the leak made it especially risky for communities relying on private messaging.
In this post, we’ll break down what CVE-2022-39385 is, how it manifests, peek at the code behind it, see how to mitigate, and give all the references you need to stay secure.
What Exactly is the Vulnerability?
When a user gets invited to a Discourse forum via a special invitation link, the platform automates their onboarding. However, because of a code logic bug, _sometimes_ these new users were mistakenly added as participants in pre-existing private message threads (PMs), which they were not supposed to access.
Example Scenario
Suppose Alice and Bob exchange confidential messages. Later, a forum moderator sends out several invitation links for new users using Discourse's standard invitation system. Due to this bug, some of these fresh users might silently gain access to Alice and Bob’s private messages.
Under the Hood: Where’s the Bug?
The vulnerability comes down to how Discourse processes invitations and participant lists for private message topics.
In the code, when an invitation is redeemed, the system calls a handler to check if the user needs to be attached to certain topics. Bugs in this handler could lead to unintentional permission grants.
Relevant Fix Commit:
a414520742
Vulnerable Code Snippet (pseudo-code style for clarity)
def redeem_invite(invite)
# ... user onboarding logic ...
invite.redeem
process_private_topics_for_user(invite.user)
end
def process_private_topics_for_user(user)
topic_ids = fetch_invited_topic_ids(user)
# BUG: topic_ids may include topics the user should NOT be added to
topic_ids.each do |topic_id|
add_user_to_topic(user, topic_id)
end
end
Here, fetch_invited_topic_ids(user) could be too broad in some edge cases, resulting in unauthorized PM access.
Extracting private message content either via direct links, API, or client-side topic browsing
No complex hacking was needed—just redeeming a crafted invitation at the right time.
Attacker or user redeems an invite link.
2. If system state aligns with the bug’s trigger condition, user is silently added to other users’ private messages.
Official Patch and Mitigation
Fixed In:
- Commit a414520742
Will be part of future stable releases after November 2022.
Immediate Mitigation:
- Administrators should set the site setting max_invites_per_day to until patched, disabling new invites.
Upgrade to the latest Discourse release including the above commit.
Conclusion and Recommendations
Private conversations are the backbone of trust in community platforms. CVE-2022-39385 showed how even rarely triggered bugs can lead to serious information leaks.
Disable invitations if you cannot patch right away.
- Educate moderators/admins to watch for suspicious new users and PM access patterns.
References
- Original Advisory on GitHub
- Official Patch Commit a414520742
- Discourse Security Fix Notes
- CVE Record
Stay vigilant, update often. If you run Discourse, don't ignore this bug!
*If you liked this detailed breakdown, share with your sysadmin or Discourse community leader.*
Timeline
Published on: 11/14/2022 21:15:00 UTC
Last modified on: 11/17/2022 20:24:00 UTC