CVE-2026-28282

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2

Description Discourse is an open-source discussion platform. A security flaw exists within the discourse-policy plugin that allows a user with policy creation permissions to gain membership access to any private or restricted groups. Once a user obtains membership to a private or restricted group, they can read private topics accessible only to that group. The flaw involves the add-users-to-group attribute within policies.

Recommendations Versions prior to 2026.3.0-latest.1: Update to version 2026.3.0-latest.1 or later. Versions prior to 2026.2.1: Update to version 2026.2.1 or later. Versions prior to 2026.1.2: Update to version 2026.1.2 or later. As a temporary workaround, review all policies for the use of add-users-to-group and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the policy enabled site setting.