Lowdavidtaylorhq

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 **Description** Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the `ip address` of a flagged user is exposed to any user who can access the review queue, including users who should not have access to this information. **Recommendations** Update to Discourse version 2026.3.0-latest.1 or later. Update to Discourse version 2026.2.1 or later. Update to Discourse version 2026.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 **Description** Discourse is an open-source discussion platform. Staff members could modify any user's group notification level in versions prior to the patched releases. No further details were provided. **Recommendations** Update to Discourse version 2026.3.0-latest.1. Update to Discourse version 2026.2.1. Update to Discourse version 2026.1.2.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 **Description** Discourse is an open-source discussion platform. A security flaw exists within the `discourse-policy` plugin that allows a user with policy creation permissions to gain membership access to any private or restricted groups. Once a user obtains membership to a private or restricted group, they can read private topics accessible only to that group. The flaw involves the `add-users-to-group` attribute within policies. **Recommendations** Versions prior to 2026.3.0-latest.1: Update to version 2026.3.0-latest.1 or later. Versions prior to 2026.2.1: Update to version 2026.2.1 or later. Versions prior to 2026.1.2: Update to version 2026.1.2 or later. As a temporary workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the `discourse-policy` plugin by disabling the `policy enabled` site setting.