Impact
Discourse, an open source discussion platform, contains a flaw that allows any user with Teaching Lead (TL4) authority to create new topics in staff-only categories using the publish_to_category function of a topic timer. The vulnerability stems from missing authorization checks, giving TL4 users the ability to insert topics into staff-only categories they normally cannot, resulting in unauthorized content publication. This flaw is classified as CWE authorization check.
Affected Systems
Discourse participants running any version prior to 2025.12.2, 2026.1.1, or 2026.2.0 are affected. The issue applies to the Discourse application itself, and the specific CPE strings identify all versions of the software found in the vulnerability list. All other versions released after those patches are considered fixed.
Risk and Exploitability
With a CVSS score of 1.2, attackers face only minimal consequences, and the EPSS score of 3% indicates a low probability of exploitation. No known exploit activity exists, and the vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector requires an authenticated TL4 user and does not assume. a public exploit, the risk is limited to potential misuse by legitimate staff members with TL4 rights who can trigger topic timers to publish content where they should not.
OpenCVE Enrichment