Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a restriction bypass allows restricted post action counts to be disclosed to non-privileged users through a carefully crafted request. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Published: 2026-03-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

A restriction bypass in Discourse allows the disclosure of restricted post‑action counts to users who do not have the required privileges, enabling them to see metadata that should remain confidential. The weakness is an Authorization Bypass described by CWE-863, leading to unauthorized exposure of user activity data.

Affected Systems

The affected product is the Discourse open‑source discussion platform. Versions earlier than 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2 are vulnerable. Users running these releases should verify their installation and upgrade if possible.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low predicted probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending a crafted HTTP request to a Discourse endpoint; no privileged access is required to benefit from the disclosure.

Generated by OpenCVE AI on March 24, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Discourse version 2026.3.0‑latest.1 or newer.
  • Upgrade to Discourse version 2026.2.1 or newer if you are on 2026.2.1.

Generated by OpenCVE AI on March 24, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 19 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a restriction bypass allows restricted post action counts to be disclosed to non-privileged users through a carefully crafted request. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title Discourse discloses restricted post-action counts to non-privileged users
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T01:45:26.962Z

Reserved: 2026-02-25T03:11:36.689Z

Link: CVE-2026-27936

cve-icon Vulnrichment

Updated: 2026-03-24T01:45:23.251Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:31.157

Modified: 2026-03-23T20:17:51.480

Link: CVE-2026-27936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:39Z

Weaknesses