Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. By manipulating specific parameters in a PUT or POST request, a regular user can elevate a topic’s status to a site-wide notice or banner, bypassing intended administrative restrictions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. There are no practical workarounds to prevent this behavior other than applying the security patch. Administrators concerned about unauthorized promotions should audit recent changes to site banners and global notices until the fix is deployed.
Published: 2026-02-26
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An improper authorization check in the topic management logic of Discourse allows an authenticated user to alter privileged attributes of a topic. By crafting specific parameters in a PUT or POST request, a regular user can promote a topic to a site‑wide notice or banner, effectively bypassing administrative restrictions. This flaw represents a classic privilege escalation scenario, enabling a non‑admin to exercise capabilities reserved for site managers.

Affected Systems

Discourse, the open source discussion platform, is affected in all releases prior to 2025.12.2, 2026.1.1, and 2026.2.0. Users running any of these unpatched versions are vulnerable to the mass assignment exploitation described.

Risk and Exploitability

The CVSS score of 1.3 indicates a low severity rating, and the EPSS score of less than 1% suggests a very low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known active exploitation at this time. Attackers need only authenticated access; the flaw can be triggered via standard HTTP topic update endpoints, and no additional prerequisites such as privileged network access are required. While the impact is confined to the user’s own topics, the ability to create site‑wide banners can misrepresent official communications or obscure legitimate notices.

Generated by OpenCVE AI on April 16, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Discourse version 2025.12.2, 2026.1.1, or 2026.2.0, which contain the necessary authorization fix
  • If an update cannot be performed immediately, remove or disable the ability for normal users to set topics as global banners by tightening role permissions or disabling the relevant feature flag until the patch is applied
  • Review recent banner and global notice changes to identify any unauthorized modifications and revert or remediate them as necessary

Generated by OpenCVE AI on April 16, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. By manipulating specific parameters in a PUT or POST request, a regular user can elevate a topic’s status to a site-wide notice or banner, bypassing intended administrative restrictions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. There are no practical workarounds to prevent this behavior other than applying the security patch. Administrators concerned about unauthorized promotions should audit recent changes to site banners and global notices until the fix is deployed.
Title Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners
Weaknesses CWE-915
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T15:08:17.328Z

Reserved: 2026-02-25T15:28:40.650Z

Link: CVE-2026-28219

cve-icon Vulnrichment

Updated: 2026-03-03T15:08:12.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T22:20:49.767

Modified: 2026-03-02T18:12:13.017

Link: CVE-2026-28219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses