CVE-2026-26207

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2025.12.2 Discourse versions prior to 2026.1.1 Discourse versions prior to 2026.2.0

Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the discourse-policy plugin permitted any authenticated user to interact with policies on posts they did not have permission to view. The PolicyController loaded posts by ID without verifying the current user's access. This allowed policy group members to accept or unaccept policies on posts in private categories or private messages they could not see, and any authenticated user to enumerate post IDs with attached policies through differentiated error responses, resulting in information disclosure. The issue was addressed by adding a guardian.can see?(@post) check in the set post before action, ensuring post visibility is verified before any policy action is processed.

Recommendations Versions prior to 2025.12.2 should be upgraded to version 2025.12.2 or later. Versions prior to 2026.1.1 should be upgraded to version 2026.1.1 or later. Versions prior to 2026.2.0 should be upgraded to version 2026.2.0 or later. As a workaround, disable the discourse-policy plugin by setting policy enabled = false.