CVE CyberSecurity Database News

CVE-2022-41944 - Sensitive Topic Titles Leaked Through Notifications in Discourse – What Happened and Why It Matters

Poster -

Discourse has become one of the most popular open-source discussion platforms. It runs the forums of big sites and communities worldwide. With its focus on modern, user-friendly conversations, Discourse powers groups ranging from hobbyists to software projects. But even the best software can have vulnerabilities, and in October 2022, Discourse ran into a privacy problem that could expose sensitive information.

This article explains CVE-2022-41944 using simple language, original research links, code snippets, and an exploration of how this bug could be exploited. If you care about privacy in online forums, read on.

What is CVE-2022-41944?

CVE-2022-41944 is a vulnerability that affected Discourse in its stable versions before 2.8.12 and its beta/tests-passed branches before 2.9..beta13. Under certain conditions, users could still see notifications for topics (threads) even after their access had been revoked. So if a topic had a sensitive title, users who should no longer see it would still catch a glimpse through their notifications.

A user was following or watching a topic.

- Later, an admin removed their access to the topic, possibly by moving it to a closed category or changing permissions.
- Notifications about this topic—specifically mentioning its title—still went out to the removed user.

This revealed the topic’s subject even though the full content should have been hidden.

Think about a staff-only thread titled “Layoff Plans for Q4”. If someone lost their staff status, but still received a notification with this title, that’s a big privacy failure.

Widespread Impact: Any Discourse site that had protected categories was at risk.

Patched versions have resolved the bug, so it’s critical to update.

How Could an Attacker Abuse this?

This bug isn’t a remote code execution or privilege escalation bug, but it’s a very real info leak. Here’s a step-by-step illustration:

A new post is made in the topic.

6. The attacker, despite losing access, receives a notification with the topic title in their Discourse notifications menu or via email!

If the attacker checks their notifications, they see something like

You have a new post in: Confidential: Acquisition by MegaCorp

This works because of a logic bug—Discourse did not re-check access before sending topic notifications.

Simplified Code Example

Let's look at what could have gone wrong internally. This is a highly simplified pseudo-code snippet (not the actual Discourse code, but it shows the logic in simple terms):

def send_notification(user, topic)
  # Previously: Only checked if user had followed the topic
  if user.following?(topic)
    Notification.create(
      user: user,
      message: "New post in: #{topic.title}"
    )
  end
end

The problem: It does not check if the user STILL HAS access!

Fixed logic should be

def send_notification(user, topic)
  if user.following?(topic) && user.can_access?(topic)
    Notification.create(
      user: user,
      message: "New post in: #{topic.title}"
    )
  end
end

Tests-passed: 2.9..beta13

Original Advisory:  
GitHub Advisory GHSA-7m97-x322-34c2

GitHub PR for the patch:  
discourse/discourse#19664

CVE Page:  
MITRE CVE-2022-41944

If you run a Discourse server

1. Upgrade now to at least 2.8.12 (stable) or 2.9..beta13+ (beta/tests-passed).
2. There are no effective workarounds. Disabling notifications isn’t enough, as that still doesn’t prevent info leaks if any notification gets through.

Conclusion

CVE-2022-41944 is a classic example of how access-control flaws can create data leaks, even in systems with well-designed permissions. For open-source projects and their administrators, it’s a reminder to test privacy scenarios thoroughly and update quickly when vulnerabilities are found.

If you host a Discourse forum, check your versions today. Privacy is only as strong as your latest upgrade!

References

- Discourse GHSA-7m97-x322-34c2 Advisory
- Patch Pull Request
- MITRE CVE Entry

*Stay safe, keep your users’ info private, and keep Discourse up to date!*

Timeline

Published on: 11/28/2022 15:15:00 UTC
Last modified on: 12/01/2022 20:28:00 UTC