Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Published: 2026-03-20
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

In the open‑source Discourse discussion platform, an excessively permissive authorization check on the deleted‑posts index endpoint allows a non‑staff user with certain elevated group memberships to view any user's deleted posts. The flaw, classified under CWE‑863, results in the disclosure of content that administrators intended to keep private, compromising the confidentiality of deleted discussions.

Affected Systems

All Discourse installations running versions earlier than 2026.3.0‑latest.1, 2026.2.1, or 2026.1.2 are affected. The patched releases—2026.3.0‑latest.1, 2026.2.1, and 2026.1.2—contain a fix that tightens the permission model and removes the vulnerability.

Risk and Exploitability

The CVSS score of 4.9 denotes moderate severity, while the EPSS score of less than 1 % suggests that widespread exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The attacker can exploit the flaw by sending a request to the /posts/deleted endpoint; this attack vector is inferred from the description, as the vulnerability is described as an “overly broad authorization check.” The impact is primarily the unauthorized disclosure of deleted content, with risk level depending on the sensitivity of the data that has been removed.

Generated by OpenCVE AI on March 24, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Discourse 2026.3.0‑latest.1, 2026.2.1, or 2026.1.2 to apply the patch.

Generated by OpenCVE AI on March 24, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:42:54.320Z

Reserved: 2026-03-19T18:45:22.434Z

Link: CVE-2026-33428

cve-icon Vulnrichment

Updated: 2026-03-25T13:42:50.992Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T00:16:27.477

Modified: 2026-03-24T19:41:41.793

Link: CVE-2026-33428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:43Z

Weaknesses