Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. As a workaround, either explicitly set group permissions on each Data Explorer query that doesn't have permissions, or disable discourse-data-explorer plugin.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access via SQL
Action: Apply Patch
AI Analysis

Impact

Discourse’s Data Explorer plugin previously did not enforce group permissions on certain queries, allowing any authenticated user to run arbitrary SQL statements. This Access Control flaw, classified as CWE‑284, could let an attacker read or modify sensitive database content, potentially exposing private data or compromising the application. The vulnerability is mitigated by restricting queries to approved groups or disabling the plugin.

Affected Systems

Discourse products running any version before 2025.12.2, 2026.1.1, or 2026.2.0 are susceptible. The patched releases address the fail‑open access control issue. All Discourse installations that rely on the Data Explorer plugin and have not upgraded to one of these fixed versions are at risk.

Risk and Exploitability

This vulnerability has a CVSS score of 5.3, indicating moderate risk. EPSS is below 1%, meaning exploitation is unlikely at this time, and it is not listed in the CISA KEV catalog. An attacker would need only authenticated access and the Data Explorer plugin enabled; no special privileges beyond those required to perform normal user tasks are necessary. Given the low exploitation probability, organizations should still monitor for any suspicious query activity and act promptly when a patch becomes available.

Generated by OpenCVE AI on April 16, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Discourse version 2025.12.2, 2026.1.1, or 2026.2.0 or newer to apply the vendor fix.
  • Disable the Data Explorer plugin if it is not required for operations.
  • If the plugin must remain enabled, configure explicit group permissions for every Data Explorer query that currently lacks permissions.

Generated by OpenCVE AI on April 16, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. As a workaround, either explicitly set group permissions on each Data Explorer query that doesn't have permissions, or disable discourse-data-explorer plugin.
Title Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T21:10:27.953Z

Reserved: 2026-02-25T15:28:40.650Z

Link: CVE-2026-28218

cve-icon Vulnrichment

Updated: 2026-03-02T20:58:58.671Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T22:20:49.600

Modified: 2026-03-02T18:12:49.360

Link: CVE-2026-28218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses