Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The `PolicyController` loads posts by ID without verifying the current user's access, enabling policy group members to accept/unaccept policies on posts in private categories or PMs they cannot see and any authenticated user to enumerate which post IDs have policies attached via differentiated error responses (information disclosure). The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by adding a `guardian.can_see?(@post)` check in the `set_post` before_action, ensuring post visibility is verified before any policy action is processed. As a workaround, disabling the discourse-policy plugin (`policy_enabled = false`) eliminates the vulnerability. There is no other workaround without upgrading.
Published: 2026-02-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized policy manipulation and information disclosure on private posts
Action: Patch or Disable
AI Analysis

Impact

The discourse-policy plugin permitted any authenticated user to load posts by ID and perform policy actions without checking the caller’s visibility rights. This allowed users to accept or unaccept policies on posts in private categories or private messages that they could not normally view, and also enabled enumeration of which post IDs have policies attached through differing error messages. The result was exposure of policy state and the ability to enumerate post IDs with policies attached. Since the flaw centers on lack of authorization, the impact is limited to coordinated enforcement of policies and the leakage of sensitive post identifiers, rather than full code execution or arbitrary data exfiltration.

Affected Systems

Affected systems are installations of the open‑source Discourse discussion platform running any version prior to 2025.12.2, 2026.1.1, or 2026.2.0 that have the discourse‑policy plugin enabled. The affected vendor and product are Discourse Discussion Platform, specifically the discourse-policy plugin module.

Risk and Exploitability

Risk and exploitability is moderate: the CVSS base score of 5.4 indicates average impact, while the EPSS score of less than 1% suggests a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the forum, and an attacker can perform the unauthorized policy actions by simply issuing the normal API calls that the plugin uses. Since the flaw involves a missing access check, an attacker does not need additional privilege escalation beyond a user account.

Generated by OpenCVE AI on April 18, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to v2025.12.2, v2026.1.1, or v2026.2.0 where the disclosure check has been added
  • Disable the discourse-policy plugin by setting policy_enabled=false to eliminate the vulnerability
  • Verify that no remnants of old plugin code remain in the deployment and audit policy-related API endpoints for access control checks

Generated by OpenCVE AI on April 18, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The `PolicyController` loads posts by ID without verifying the current user's access, enabling policy group members to accept/unaccept policies on posts in private categories or PMs they cannot see and any authenticated user to enumerate which post IDs have policies attached via differentiated error responses (information disclosure). The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by adding a `guardian.can_see?(@post)` check in the `set_post` before_action, ensuring post visibility is verified before any policy action is processed. As a workaround, disabling the discourse-policy plugin (`policy_enabled = false`) eliminates the vulnerability. There is no other workaround without upgrading.
Title DIscourse's discourse-policy plugin lacks post access check
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T21:33:42.157Z

Reserved: 2026-02-11T19:56:24.814Z

Link: CVE-2026-26207

cve-icon Vulnrichment

Updated: 2026-02-26T21:07:33.630Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T16:24:07.163

Modified: 2026-03-02T21:51:04.787

Link: CVE-2026-26207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses