Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Published: 2026-02-26
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch Now
AI Analysis

Impact

Discourse users with a trust level of 4 are able to close, archive, and pin topics that are in private categories to which the users do not have normal access. The flaw allows the user to alter the state of restricted content, effectively bypassing the intended access controls. This privilege escalation can lead to unwanted visibility changes, potential removal of discussion, or concealment of content, compromising the integrity of private discussions. The weakness aligns with CWE-862: Missing Authorization

Affected Systems

Discourse platforms running any version prior to 2025.12.2, 2026.1.1, or 2026.2.0 are affected. Those older builds expose the privilege escalation to TL4 users.

Risk and Exploitability

The CVSS score of 2.7 indicates a low severity, and the EPSS score is under 1%, meaning exploitation is unlikely in the short term. The vulnerability is not listed in the CISA KEV catalog, and no workarounds exist. Attackers can exploit this only by having a legitimate TL4 role; the ability to change topic status in private categories directly follows from that role. Because no additional conditions are required, the feature can be abused by any TL4 user as soon as the system is in an affected state.

Generated by OpenCVE AI on April 17, 2026 at 14:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Discourse 2025.12.2 or newer releases (2026.1.1, 2026.2.0) where the issue is fixed
  • Remove or lower trust level 4 privileges for users who should not manage private topics, or demote TL4 users until patching
  • Audit moderation logs for status changes on private topics and notify administrators of any unauthorized activity

Generated by OpenCVE AI on April 17, 2026 at 14:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Title Discourse: TL4 users are able to change status of restricted topics
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:38:24.755Z

Reserved: 2026-02-17T01:41:24.605Z

Link: CVE-2026-26979

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T20:31:37.833

Modified: 2026-03-02T21:34:00.793

Link: CVE-2026-26979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses