CVE-2026-27935 - Vulnerability Details

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

discourse

affected

Version	Status	Constraints
`>= 2026.1.0-latest, < 2026.1.2`	affected	—
`>= 2026.2.0-latest, < 2026.2.1`	affected	—
`= 2026.3.0-latest`	affected	—

No data.

Subscriptions

No data.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc
https://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897
https://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab
https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76

History

Thu, 19 Mar 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title		Discourse leaks private topic metadata to non-authorized users
Weaknesses		CWE-201
References		https://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc https://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897 https://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-19T21:33:38.459Z

Updated: 2026-03-19T21:33:38.459Z

Reserved: 2026-02-25T03:11:36.689Z

Link: CVE-2026-27935

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-19T22:16:30.997

Modified: 2026-03-19T22:16:30.997

Link: CVE-2026-27935

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-201

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

Tracking

JSON object

JSON object

JSON object

JSON object

JSON object