CVE-2026-27491 - Vulnerability Details

- Discourse has a bypass of official warnings messages by non-staff users

Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the attacker to be a logged-in user and to send a specifically crafted request. No data exposure or privilege escalation beyond the ability to create unauthorized user warnings was possible. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Published: 2026-03-19

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A type coercion bug in Discourse’s post‑actions API allows a logged‑in user who is not staff to craft a request that creates a warning against another user. Because warnings are intended for moderation staff, this flaw gives non‑staff members a limited moderation privilege, potentially affecting user reputation and platform trust. The vulnerability does not reveal data or provide full privilege escalation beyond warning creation.

Affected Systems

The issue affects all Discourse releases earlier than 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2, in which non‑staff users can trigger the warning endpoint. The flaw is limited to authenticated users; unauthenticated visitors cannot initiate the attack. The affected product is the open‑source Discourse discussion platform.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity risk. EPSS shows an exploitation likelihood below 1 % and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation. Based on the description, the attack vector is remote via the API and requires an authenticated user to send a crafted request, meaning that a legitimate user with an account can abuse the warning system, though no additional system resources are impacted.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

discourse

affected

Version	Status	Constraints
`>= 2026.1.0-latest, < 2026.1.2`	affected	—
`>= 2026.2.0-latest, < 2026.2.1`	affected	—
`= 2026.3.0-latest`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2026.3.0::::latest:::

No data.

Vendor Product Confidence Versions

Discourse

100%

Version	Status	Scheme	Platform
`[2026.1.0-latest,2026.1.2)`	affected	semver	—
`[2026.2.0-latest,2026.2.1)`	affected	semver	—
`2026.3.0-latest`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to any patched release 2026.3.0‑latest.1, 2026.2.1, or 2026.1.2 or later
Verify after upgrading that only staff members can trigger the warning endpoint by attempting the call with a non‑staff account
Monitor logs for unusual warning creation attempts by non‑staff users

Generated by OpenCVE AI on March 25, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/discourse/discourse/commit/60a588f4da4ab0feceb2c44787d4261b4f8757be
https://github.com/discourse/discourse/commit/d3cb203feabc46d765ecb91f348613a2bd531b89
https://github.com/discourse/discourse/commit/f5fef73827da7520efc517357bd2a6bab35d7886
https://github.com/discourse/discourse/security/advisories/GHSA-xq37-5fvf-4m4j

History

Wed, 25 Mar 2026 01:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:discourse:discourse:::::::: cpe:2.3:a:discourse:discourse:2026.3.0::::latest:::
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Fri, 20 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Discourse Discourse discourse
Vendors & Products		Discourse Discourse discourse

Thu, 19 Mar 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the attacker to be a logged-in user and to send a specifically crafted request. No data exposure or privilege escalation beyond the ability to create unauthorized user warnings was possible. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title		Discourse has a bypass of official warnings messages by non-staff users
Weaknesses		CWE-862
References		https://github.com/discourse/discourse/commit/60a588f4da4ab0feceb2c44787d4261b4f8757be https://github.com/discourse/discourse/commit/d3cb203feabc46d765ecb91f348613a2bd531b89 https://github.com/discourse/discourse/commit/f5fef73827da7520efc517357bd2a6bab35d7886 https://github.com/discourse/discourse/security/advisories/GHSA-xq37-5fvf-4m4j
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Discourse Discourse

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-19T20:47:54.668Z

Updated: 2026-03-20T20:20:00.790Z

Reserved: 2026-02-19T19:46:03.541Z

Link: CVE-2026-27491

Vulnrichment

Updated: 2026-03-20T20:19:57.347Z

NVD

Status : Analyzed

Published: 2026-03-19T21:17:09.090

Modified: 2026-03-25T01:00:41.607

Link: CVE-2026-27491

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T11:54:57Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object