Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipient PM restrictions that are enforced during DM channel creation. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Published: 2026-02-26
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Bypass of DM communication preferences
Action: Patch
AI Analysis

Impact

Discourse allows adding members through the Chat::AddUsersToChannel routine, but before version 2025.12.2, 2026.1.1, and 2026.2.0 the routine ignores a user’s blocked, ignored, or muted settings. This means an authenticated user can create a direct‑message channel with recipients who have explicitly chosen not to receive messages from them, thereby violating privacy preferences and potentially exposing sensitive or unwanted content. The CVSS score of 1.3 indicates a low severity impact, but the incident can lead to annoyance or privacy breaches for the affected users.

Affected Systems

The vulnerability affects installations of the open‑source Discourse discussion platform running any release older than 2025.12.2, 2026.1.1, or 2026.2.0. These versions include the source code that implements the Chat::AddUsersToChannel functionality and are identified in the CPE list by the company name and product name "Discourse".

Risk and Exploitability

The exploit requires an authenticated user with permission to add members to a channel. Based on the description, it is inferred that the attacker must have access to the Chat::AddUsersToChannel API and sufficient channel‑management rights, which are not generally granted to all users. The EPSS score of less than 1% points to a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The overall risk is therefore modest, focusing primarily on privacy violations rather than system compromise.

Generated by OpenCVE AI on April 16, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Discourse installation to version 2025.12.2 or later (or 2026.1.1, 2026.2.0) to apply the fixed code
  • Restrict the ability to add members to DM channels to users who truly need that permission, eliminating unnecessary access
  • Audit existing DM channels for members who were added despite having blocked, ignored, or muted the poster and remove them if appropriate

Generated by OpenCVE AI on April 16, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipient PM restrictions that are enforced during DM channel creation. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Title DIscourse has DM communication-preference bypass when adding members
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T01:41:16.401Z

Reserved: 2026-02-18T00:18:53.962Z

Link: CVE-2026-27152

cve-icon Vulnrichment

Updated: 2026-03-03T01:41:11.055Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T21:28:54.650

Modified: 2026-03-02T18:03:28.333

Link: CVE-2026-27152

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses