What is the severity of CVE-2022-46150?

The severity of CVE-2022-46150 is classified as moderate.

How do I fix CVE-2022-46150?

To fix CVE-2022-46150, upgrade to Discourse version 2.8.13 or version 2.9.0.beta14 or later.

What vulnerability does CVE-2022-46150 address?

CVE-2022-46150 addresses an issue where unauthorized users can learn about the existence of hidden tags applied to topics.

Which versions of Discourse are affected by CVE-2022-46150?

CVE-2022-46150 affects Discourse versions prior to 2.8.13 and various beta versions of 2.9.0.

Why is CVE-2022-46150 a concern for Discourse users?

CVE-2022-46150 is a concern as it allows unauthorized access to information that should be hidden, potentially leading to privacy issues.

Vulnerability/
CVE-2022-46150

medium

4.3

CWE

200

29/11/2022

23/4/2025

CVE-2022-46150: Discourse may allow exposure of hidden tags in the subject of notification emails

First published: Tue Nov 29 2022(Updated: )

Discourse is an open-source discussion platform. Prior to version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches, unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they have access to. This issue is patched in version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches. As a workaround, use the `disable_email` site setting to disable all emails to non-staff users.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse	<2.8.13
Discourse	=2.9.0-beta1
Discourse	=2.9.0-beta10
Discourse	=2.9.0-beta11
Discourse	=2.9.0-beta12
Discourse	=2.9.0-beta13
Discourse	=2.9.0-beta2
Discourse	=2.9.0-beta3
Discourse	=2.9.0-beta4
Discourse	=2.9.0-beta5
Discourse	=2.9.0-beta6
Discourse	=2.9.0-beta7
Discourse	=2.9.0-beta8

Remedy

https://github.com/discourse/discourse/commit/84c83e8d4a1907f8a2972f0ab44b6402aa910c3b

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-46150?
The severity of CVE-2022-46150 is classified as moderate.
How do I fix CVE-2022-46150?
To fix CVE-2022-46150, upgrade to Discourse version 2.8.13 or version 2.9.0.beta14 or later.
What vulnerability does CVE-2022-46150 address?
CVE-2022-46150 addresses an issue where unauthorized users can learn about the existence of hidden tags applied to topics.
Which versions of Discourse are affected by CVE-2022-46150?
CVE-2022-46150 affects Discourse versions prior to 2.8.13 and various beta versions of 2.9.0.
Why is CVE-2022-46150 a concern for Discourse users?
CVE-2022-46150 is a concern as it allows unauthorized access to information that should be hidden, potentially leading to privacy issues.

agent/references
agent/type
collector/mitre-cve
source/MITRE
agent/title
agent/severity
agent/remedy
agent/weakness
agent/first-publish-date
agent/description
agent/author
agent/last-modified-date
agent/softwarecombine
agent/event
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-index
vendor/discourse
canonical/discourse
version/discourse/2.9.0-beta1
version/discourse/2.9.0-beta10
version/discourse/2.9.0-beta11
version/discourse/2.9.0-beta12
version/discourse/2.9.0-beta13
version/discourse/2.9.0-beta2
version/discourse/2.9.0-beta3
version/discourse/2.9.0-beta4
version/discourse/2.9.0-beta5
version/discourse/2.9.0-beta6
version/discourse/2.9.0-beta7
version/discourse/2.9.0-beta8