CVE-2026-32618
Discourse: Unauthorized channel membership inference via excluded_memberships_channel_idDiscourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
We have discovered 909 live websites that are affected by CVE-2026-32618.
Affected Software
| Product |  Discourse |
| Category | Message Boards |
| Vulnerable Domains | 909 live websites (20% of Discourse install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 4 versions ( 5.63% of all versions) |
Common Weakness Enumeration
CWE-200 Exposure of Sensitive Information to an Unauthorized ActorDetails
- Published - Mar 31, 2026
- Updated - Apr 3, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-32618 United States | 491 websites |
 Germany | 200 websites |
 France | 40 websites |
 GB | 25 websites |
 Singapore | 18 websites |
 Switzerland | 16 websites |
 Netherlands | 15 websites |
 Russia | 11 websites |
 Canada | 10 websites |
 China | 10 websites |
Website Distribution by TLD
Number of websites using CVE-2026-32618| .com | 397 websites |
| .org | 135 websites |
| .net | 45 websites |
| .io | 31 websites |
| .de | 29 websites |
| .fr | 15 websites |
| .co.uk | 13 websites |
| .ch | 12 websites |
| .eu | 10 websites |
| .it | 9 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-32618
Top websites that are affected by CVE-2026-32618. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.org | United States | **,*** | |
| *********.***********.com | United States | **,*** | |
| ***********.com | United States | ***,*** | |
| *****.********.com | Germany | ***,*** | |
| *********.*******.org | Germany | ***,*** | |
| *********.de | Germany | ***,*** | |
| ****************.com | Germany | ***,*** | |
| ****.***********.org | United States | ***,*** | |
| *****.*******.org | Germany | ***,*** | |
| *****.********.com |  Latvia | ***,*** |
FAQ
CVE-2026-32618 is Exposure of Sensitive Information to an Unauthorized Actor in Discourse
A total of 909 websites have been identified as vulnerable to CVE-2026-32618, based on global website indexing conducted by WebTechSurvey.
The Discourse is affected by the CVE-2026-32618 vulnerability.
Discourse versions up to 2026.3 are vulnerable to CVE-2026-32618.
CVE-2026-32618 is resolved in version 2026.3 of Discourse.