Description
Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belonging to a category moderation group can create or delete their own notes on **any** reviewable in the system, including reviewables in categories they do not moderate. The controller used an unscoped `Reviewable.find` and the `ensure_can_see` guard only checked whether the user could access the review queue in general, not whether they could access the specific reviewable. Only instances with `enable_category_group_moderation` enabled are affected. Staff users (admins/moderators) are not impacted as they already have access to all reviewables. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by scoping the reviewable lookup through `Reviewable.viewable_by(current_user)`. As a workaround, disable the `enable_category_group_moderation` site setting. This removes the attack surface as only staff users will have access to the review queue.
Published: 2026-02-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation allowing unauthorized reviewable note manipulation
Action: Immediate Patch
AI Analysis

Impact

Discourse contains an IDOR flaw in the ReviewableNotesController that enables users belonging to a category moderation group to create or delete reviewable notes on any reviewable in the system, even if the reviewable resides in a category they do not moderate. The controller performed an unscoped lookup and only verified general access to the review queue, not access to the specific reviewable. This breach of access control is reflected by the CWE identifiers for Broken Access Control and Privilege Escalation.

Affected Systems

The vulnerability affects the open source forum platform Discourse. All releases prior to version 2025.12.2, 2026.1.1, and 2026.2.0 are impacted when the "enable_category_group_moderation" site setting is enabled. Staff users (admins and moderators) are not affected because they already possess full access to reviewables.

Risk and Exploitability

With a CVSS score of 4.3 the vulnerability is considered moderate severity. The EPSS score is below 1% indicating a low probability of exploitation, and the issue is not listed in the CISA KEV catalog. Attackers must be authenticated users who belong to a category moderation group and must have the site setting enabled. The exploit path involves issuing a request to the ReviewableNotesController to create or delete a note on any reviewable, thereby bypassing intended permission checks.

Generated by OpenCVE AI on April 17, 2026 at 14:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to version 2025.12.2 or later, 2026.1.1 or later, or 2026.2.0 or later to receive the patch that scopes the reviewable lookup to the current user.
  • If immediate upgrade is not feasible, disable the "enable_category_group_moderation" site setting to remove the attack surface; only staff users will retain access to the review queue.
  • Review membership of category moderation groups to ensure only trusted users are granted such permissions and monitor reviewable note activity for anomalous actions.

Generated by OpenCVE AI on April 17, 2026 at 14:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belonging to a category moderation group can create or delete their own notes on **any** reviewable in the system, including reviewables in categories they do not moderate. The controller used an unscoped `Reviewable.find` and the `ensure_can_see` guard only checked whether the user could access the review queue in general, not whether they could access the specific reviewable. Only instances with `enable_category_group_moderation` enabled are affected. Staff users (admins/moderators) are not impacted as they already have access to all reviewables. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by scoping the reviewable lookup through `Reviewable.viewable_by(current_user)`. As a workaround, disable the `enable_category_group_moderation` site setting. This removes the attack surface as only staff users will have access to the review queue.
Title Discourse doesn't scope reviewable notes to user-visible reviewables
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:41:30.698Z

Reserved: 2026-02-16T22:20:28.612Z

Link: CVE-2026-26973

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T20:31:37.327

Modified: 2026-03-02T21:36:35.657

Link: CVE-2026-26973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses