Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow users who are not members of the authorized policy‑creation groups to create functional policy acceptance widgets within posts. This missing permission check lets an attacker gain elevated capabilities by inserting policy widgets that can be used to enforce or manipulate acceptance rules without proper authorization. The vulnerability is a classic privilege escalation (CWE‑862), capable of compromising the confidentiality and integrity of policy enforcement within the platform.

The affected systems are installations of the Discourse discussion platform, specifically those running any version older than 2026.3.0-latest.1, 2026.2.1, or 2026.1.2. The vulnerability is tied to the discourse-policy plugin, which is enabled by default via the `policy_enabled` setting.

The CVSS score of 8.2 indicates a high severity risk. Exploitation is likely possible through normal user interaction, such as authoring posts, and the EPSS score of less than 1% suggests that, while the vulnerability exists, the probability of active exploitation is currently low. This vulnerability is not listed in the CISA KEV catalog. An attacker could leverage this flaw to install unauthorized policy widgets, potentially bypassing organizational controls or misrepresenting policy compliance. The attack vector is inferred to be remote, via the web interface, where a non‑privileged user crafts a post to trigger the vulnerability.