Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, requesting /posts/:id.json?version=X bypassed authorization checks on post revisions. The display_post method called post.revert_to directly without verifying whether the revision was hidden or if the user had permission to view edit history. This meant hidden revisions (intentionally concealed by staff) could be read by any user by simply enumerating version numbers. Starting in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, Discourse looks up the PostRevision and call guardian.ensure_can_see! before reverting, consistent with how the /posts/:id/revisions/:revision endpoint already authorizes access. No known workarounds are available.
Published: 2026-03-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass Allowing Hidden Post Revision Disclosure
Action: Patch
AI Analysis

Impact

Discourse allows a user to read any hidden post revision via the /posts/:id.json?version path before certain releases. The endpoint bypasses checks that should enforce visibility, so staff‑hidden patches can be exposed to anyone who has access to the forum. This provides indirect confidentiality breach of content intended to remain internal.

Affected Systems

Vulnerable for all Discourse releases older than 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2. The platform is the open‑source forum software Discourse.

Risk and Exploitability

CVSS 5.3 indicates moderate severity; EPSS <1% suggests low exploitation probability and it is not in CISA KEV. The issue is exploitable via a simple HTTP GET against the affected endpoint, requiring only knowledge of the post ID and a revision number. Because the system does not enforce visibility, any user who can enumerate revisions can read content that should be hidden, posing a confidentiality risk for staff‑sanctioned edits.

Generated by OpenCVE AI on March 25, 2026 at 03:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Discourse 2026.3.0‑latest.1, 2026.2.1, or 2026.1.2 or newer to enable the guardian.ensure_can_see! check

Generated by OpenCVE AI on March 25, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 19 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, requesting /posts/:id.json?version=X bypassed authorization checks on post revisions. The display_post method called post.revert_to directly without verifying whether the revision was hidden or if the user had permission to view edit history. This meant hidden revisions (intentionally concealed by staff) could be read by any user by simply enumerating version numbers. Starting in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, Discourse looks up the PostRevision and call guardian.ensure_can_see! before reverting, consistent with how the /posts/:id/revisions/:revision endpoint already authorizes access. No known workarounds are available.
Title Discourse has check revision visibility on posts endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T17:10:14.076Z

Reserved: 2026-02-19T17:25:31.100Z

Link: CVE-2026-27454

cve-icon Vulnrichment

Updated: 2026-03-20T17:10:10.653Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:08.920

Modified: 2026-03-25T01:01:56.147

Link: CVE-2026-27454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:58Z

Weaknesses