CVE-2026-33251 - Vulnerability Details

- Discourse has a Hidden Solved topics permission bypass

Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure only trusted users are part of the Site Setting for accept_all_solutions_allowed_groups.

Published: 2026-03-20

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an authorization bypass in the handling of hidden solved topics. It allows a user who normally does not have permission to accept or unaccept solutions to do so, effectively turning the accepted answer status on or off. This can mislead other users about which answers are considered correct and undermines discussion integrity. The weakness is identified as CWE‑863.

Affected Systems

All Discourse installations running a version prior to 2026.3.0‑latest.1, 2026.2.1 or 2026.1.2 are affected. The patch was included in the 2026.3.0‑latest.1 release and back‑ported to the older 2026.2.1 and 2026.1.2 releases. If a site is using a newer build, the vulnerability has been patched; older builds remain exposed until updated.

Risk and Exploitability

The CVSS base score of 5.4 indicates a moderate impact. EPSS is below 1 %, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires a user account with normal privileges able to see hidden solved topics, a condition that can be met by any user who can log in to the forum. Once the condition is satisfied, the attacker can toggle solution acceptance, thereby manipulating the perceived resolution status of posts. No network‑level exploit is required; the weakness is purely an authorization flaw within the application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

discourse

affected

Version	Status	Constraints
`>= 2026.1.0-latest, < 2026.1.2`	affected	—
`>= 2026.2.0-latest, < 2026.2.1`	affected	—
`= 2026.3.0-latest`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2026.3.0::::latest:::

No data.

Vendor Product Confidence Versions

Discourse

100%

Version	Status	Scheme	Platform
`[2026.1.0-latest,2026.1.2)`	affected	semver	—
`[2026.2.0-latest,2026.2.1)`	affected	semver	—
`2026.3.0-latest`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch by upgrading to Discourse 2026.3.0‑latest.1, 2026.2.1 or 2026.1.2
If an upgrade is not immediately possible, restrict the accept_all_solutions_allowed_groups setting so that only trusted users are allowed to accept or unaccept solutions

Generated by OpenCVE AI on March 24, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/discourse/discourse/security/advisories/GHSA-vm2x-9h8x-7jxm

History

Tue, 24 Mar 2026 21:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:discourse:discourse:::::::: cpe:2.3:a:discourse:discourse:2026.3.0::::latest:::

Tue, 24 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Discourse Discourse discourse
Vendors & Products		Discourse Discourse discourse

Fri, 20 Mar 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure only trusted users are part of the Site Setting for accept_all_solutions_allowed_groups.
Title		Discourse has a Hidden Solved topics permission bypass
Weaknesses		CWE-863
References		https://github.com/discourse/discourse/security/advisories/GHSA-vm2x-9h8x-7jxm
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Discourse Discourse

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-20T22:52:37.051Z

Updated: 2026-03-24T18:05:41.967Z

Reserved: 2026-03-18T02:42:27.510Z

Link: CVE-2026-33251

Vulnrichment

Updated: 2026-03-24T18:05:30.466Z

NVD

Status : Analyzed

Published: 2026-03-20T23:16:47.340

Modified: 2026-03-24T20:55:18.063

Link: CVE-2026-33251

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:34:02Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object