Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.
Published: 2026-03-19
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized group membership addition exposing private content
Action: Apply patch
AI Analysis

Impact

The flaw resides in the discourse-policy plugin of the Discourse forum platform. A user with permission to create or edit policies can exploit the add‑users‑to‑group capability to forcefully join any private or restricted group. This sidesteps the normal access controls and lets the user read topics that are otherwise protected to group members. The weakness involves improper authorization logic, classified as CWE‑863.

Affected Systems

Discourse, the open‑source discussion software, is affected. Versions older than 2026.3.0‑latest.1, prior to 2026.2.1, and prior to 2026.1.2. The patch is supplied in releases 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, yet the vulnerability permits privilege escalation within the application for users with policy‑creation rights. EPSS is below 1%, implying low exploitation probability. It is not listed in the CISA KEV catalog. The attack vector is application‑level and requires an authenticated user who currently has permission to create or modify policies; no external network exposure is needed. This inference is based on the description provided.

Generated by OpenCVE AI on March 24, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Discourse to version 2026.3.0‑latest.1 or newer, or to the 2026.2.1 or 2026.1.2 patched releases.
  • If a quick upgrade is not possible, review all policies that use add‑users‑to‑group and remove that attribute from the policy until a patch is applied.
  • Alternatively, disable the discourse‑policy plugin by setting policy_enabled to false in the site settings.
  • Restrict policy‑creation permission to trusted administrators and audit existing policies regularly.

Generated by OpenCVE AI on March 24, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 19 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.
Title Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:10:26.922Z

Reserved: 2026-02-26T01:52:58.735Z

Link: CVE-2026-28282

cve-icon Vulnrichment

Updated: 2026-03-20T17:01:00.627Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:31.317

Modified: 2026-03-23T20:16:43.230

Link: CVE-2026-28282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:39Z

Weaknesses