Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category group moderators to move posts into topics in categories where they lack posting privileges (e.g., read-only categories or categories with group-restricted write access). Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Published: 2026-02-26
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Permission bypass – users can move posts into categories where they lack posting rights
Action: Upgrade promptly
AI Analysis

Impact

Prior to specific releases, Discourse allowed users with high-level or moderator permissions to move posts from one topic to another without checking if they could write in the destination. This bug lets those users populate read‑only or group‑restricted categories with content they should not be able to add, potentially violating moderation policies, misleading readers, and undermining content integrity.

Affected Systems

Discourse open‑source discussion platform, versions before 2025.12.2, 2026.1.1, and 2026.2.0. Users on those releases with Tier‑4 or category‑moderator rights are affected.

Risk and Exploitability

The CVSS score is 1.3, indicating a low severity weakness. EPSS is below 1 %, showing a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate user credentials with sufficient moderation rights and occurs through the normal move‑posts interface or API, rendering it a limited privilege escalation rather than a broad remote code execution.

Generated by OpenCVE AI on April 16, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Discourse release (2025.12.2 or newer) that includes the destination‑topic permission check.
  • If an upgrade cannot be performed immediately, restrict Tier‑4 and category‑moderator permissions in categories where posting rights are denied, or disable the move_posts feature for these users through custom rules.
  • Continuously monitor post‑movement logs for posts appearing in categories where their creators lack write permission and review such incidents for potential policy violations.

Generated by OpenCVE AI on April 16, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category group moderators to move posts into topics in categories where they lack posting privileges (e.g., read-only categories or categories with group-restricted write access). Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Title Discourse doesn't validate destination topic when moving posts
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T01:42:49.872Z

Reserved: 2026-02-18T00:18:53.962Z

Link: CVE-2026-27151

cve-icon Vulnrichment

Updated: 2026-03-03T01:42:46.142Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T21:28:54.493

Modified: 2026-03-02T18:02:24.923

Link: CVE-2026-27151

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses