Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use `Post.secured(guardian)` to properly filter post types based on user permissions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Published: 2026-02-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

The flaw in Discourse causes whispered posts—messages meant only for whisperers—to appear in excerpt snippets that are visible to all participants. This creates a confidentiality breach, allowing unauthorized viewers to read content that should be restricted, which is a classic information‑disclosure weakness (CWE‑200). The vulnerability is triggered by the way the system compiles nearby posts for excerpts, returning all posts without filtering for whisper status.

Affected Systems

Discourse, the open‑source forum platform, is affected. All releases prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain the flaw. Users who have installed any earlier version of Discourse should plan to upgrade to at least 2025.12.2, 2026.1.1, or 2026.2.0, where the bug has been fixed.

Risk and Exploitability

The vulnerability has a CVSS score of 4.9, indicating moderate severity. The EPSS score is reported as less than 1%, implying a low probability of exploitation at this time. It is not included in CISA’s Known Exploited Vulnerabilities catalog. The likely attack path is through normal forum usage: a user browsing posts or viewing an excerpt will see whisper content. No special privileges are required beyond normal read access. Because the flaw is purely a disclosure issue and exploitable by any user who can trigger an excerpt, the risk remains moderate but the actual exploitation chance is low.

Generated by OpenCVE AI on April 16, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to a patched release (2025.12.2, 2026.1.1, 2026.2.0, or newer).
  • If custom code or themes call the legacy posts_nearby function, replace those calls with Post.secured(guardian) to apply proper permission checks.
  • Ensure that excerpt generation is disabled for whisper posts until the patch is applied, or configure the excerpt mechanism to omit whisper content entirely.

Generated by OpenCVE AI on April 16, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use `Post.secured(guardian)` to properly filter post types based on user permissions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Title DIscourse doesn't prevent whispers to leak in excerpts
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T01:41:54.076Z

Reserved: 2026-02-18T00:18:53.962Z

Link: CVE-2026-27162

cve-icon Vulnrichment

Updated: 2026-03-03T01:41:49.187Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T21:28:54.800

Modified: 2026-03-02T18:07:19.327

Link: CVE-2026-27162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses