Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The `user_field_ids` parameter in `DirectoryItemsController#index` accepts arbitrary user field IDs without authorization checks, bypassing the visibility restrictions (`show_on_profile` / `show_on_user_card`) that are enforced elsewhere (e.g., `UserCardSerializer` via `Guardian#allowed_user_field_ids`). An attacker can request `GET /directory_items.json?period=all&user_field_ids=<id>` with any private field ID and receive that field's value for every user in the directory response. This enables bulk exfiltration of private user data such as phone numbers, addresses, or other sensitive custom fields that admins have explicitly configured as non-public. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As a workaround, site administrators can remove sensitive data from private user fields, or disable the user directory via the `enable_user_directory` site setting.
CVE-2026-26265 is an Insecure Direct Object Reference (IDOR) vulnerability in Discourse that allows unauthenticated users to retrieve private user field values for all directory users. The vulnerability bypasses authorization checks on the `user_field_ids` parameter, enabling bulk exfiltration of sensitive data such as phone numbers and addresses. This affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, with patches now available.
IMMEDIATE ACTIONS:
1. Identify all Discourse instances in your organization and verify current version (check /admin/dashboard)
2. If running versions prior to 2025.12.2, 2026.1.1, or 2026.2.0, immediately apply available patches
3. Review audit logs for unauthorized access to /directory_items.json endpoints with suspicious user_field_ids parameters
4. Audit private user fields configuration and remove sensitive data from non-public fields
PATCHING GUIDANCE:
1. Update to patched versions: 2025.12.2, 2026.1.1, or 2026.2.0 or later
2. Test patches in staging environment before production deployment
3. Verify patch effectiveness by confirming user_field_ids filtering against public_fields only
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable user directory via `enable_user_directory` site setting
2. Remove all sensitive data from private user fields (phone, address, custom fields)
3. Implement WAF rules to block /directory_items.json requests with user_field_ids parameters
4. Restrict directory access to authenticated users only via site settings
5. Monitor and alert on directory_items.json API calls with non-standard parameters
DETECTION RULES:
1. Monitor for GET requests to /directory_items.json with user_field_ids parameter
2. Alert on requests from anonymous/unauthenticated users accessing directory endpoints
3. Track bulk directory queries (period=all) combined with custom field IDs
4. Log and review any access to private user field data in API responses
الإجراءات الفورية:
1. حدد جميع مثيلات Discourse في مؤسستك وتحقق من الإصدار الحالي
2. إذا كنت تستخدم إصدارات سابقة للإصدارات 2025.12.2 أو 2026.1.1 أو 2026.2.0، طبق التصحيحات المتاحة فوراً
3. راجع سجلات التدقيق للوصول غير المصرح إلى نقاط نهاية /directory_items.json
4. تدقيق إعدادات حقول المستخدمين الخاصة وإزالة البيانات الحساسة
إرشادات التصحيح:
1. قم بالتحديث إلى الإصدارات المصححة: 2025.12.2 أو 2026.1.1 أو 2026.2.0 أو أحدث
2. اختبر التصحيحات في بيئة التطوير قبل النشر في الإنتاج
3. تحقق من فعالية التصحيح بتأكيد تصفية user_field_ids
الضوابط البديلة:
1. عطل دليل المستخدم عبر إعداد `enable_user_directory`
2. أزل جميع البيانات الحساسة من حقول المستخدمين الخاصة
3. طبق قواعد WAF لحظر طلبات /directory_items.json
4. قيد الوصول إلى الدليل للمستخدمين المصرحين فقط
5. راقب وأصدر تنبيهات لاستدعاءات API