Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups they don't have access to, enabling metadata disclosure via bookmark reminder notifications. Versions 2025.12.2, 2026.1.1, and 2026.2.0 fix this issue and also make sure `validate_before_create` throws NotImplementedError in BaseBookmarkable if not implemented, to prevent similar issues in the future. No known workarounds are available.
Published: 2026-02-26
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Bookmark Creation and Metadata Disclosure
Action: Apply Patch
AI Analysis

Impact

Discourse's Data Explorer feature lacked an authorization check when creating QueryGroupBookmarks. This oversight lets any logged‑in user create bookmarks for query groups they do not own or have permission to view. As a result, the system can expose metadata about query group access and composition through bookmark reminder notifications, violating confidentiality. The weakness is a missing authorization guard (CWE‑862).

Affected Systems

The problem exists in the open‑source Discourse forum platform. Versions up to, but not including, 2025.12.2, 2026.1.1, and 2026.2.0 are affected. Consequently, any site running Discourse 2025.12.1 or earlier, 2026.1.0 or earlier, or 2026.2.0‑beta versions is vulnerable. Upgrading to any of the patched releases fixes the issue. No other vendors or products are listed.

Risk and Exploitability

The CVSS is 1.3, indicating a low severity. EPSS is below 1%, meaning that exploitation is currently considered very unlikely. The vulnerability is not listed in the CISA KEV catalogue. Because the flaw requires a logged‑in user with access to the Data Explorer interface, an attacker would need either legitimate credentials or an active session. The lack of an authorisation guard lets the user create bookmarks for inaccessible query groups, leaking metadata through reminders. Overall, while the impact is limited to some metadata disclosure, the risk level remains low, and widespread exploitation is not currently reported.

Generated by OpenCVE AI on April 16, 2026 at 16:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Discourse application to version 2026.2.0 or higher, which contains the fix.
  • Temporarily disable the Data Explorer's QueryGroupBookmarkable functionality or restrict Data Explorer access to trusted roles until the patch is applied.
  • Review Discourse logs for unexpected bookmark creation events in query groups and alert site administrators.

Generated by OpenCVE AI on April 16, 2026 at 16:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*

Mon, 02 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups they don't have access to, enabling metadata disclosure via bookmark reminder notifications. Versions 2025.12.2, 2026.1.1, and 2026.2.0 fix this issue and also make sure `validate_before_create` throws NotImplementedError in BaseBookmarkable if not implemented, to prevent similar issues in the future. No known workarounds are available.
Title Discourse doesn't ensure guardian check when creating QueryGroupBookmark
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T01:43:29.850Z

Reserved: 2026-02-18T00:18:53.961Z

Link: CVE-2026-27150

cve-icon Vulnrichment

Updated: 2026-03-03T01:43:23.343Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T21:28:54.343

Modified: 2026-03-02T18:22:27.023

Link: CVE-2026-27150

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses