CVE-2026-26973

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2025.12.2 Discourse versions prior to 2026.1.1 Discourse versions prior to 2026.2.0

Description Discourse is an open source discussion platform. A flaw exists in the ReviewableNotesController that allows for an Insecure Direct Object Reference (IDOR). When the enable category group moderation setting is enabled, a user belonging to a category moderation group can create or delete notes on any reviewable item within the system, even those in categories they are not authorized to moderate. The issue stems from the use of an unscoped Reviewable.find function and a ensure can see guard that only verifies access to the review queue generally, rather than to specific reviewable items. Staff users (administrators/moderators) are not affected as they already possess access to all reviewable items.

Recommendations Discourse versions prior to 2025.12.2 should be updated to version 2025.12.2 or later. Discourse versions prior to 2026.1.1 should be updated to version 2026.1.1 or later. Discourse versions prior to 2026.2.0 should be updated to version 2026.2.0 or later. As a temporary workaround, disable the enable category group moderation site setting.