CVE-2026-27151

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2025.12.2 Discourse versions prior to 2026.1.1 Discourse versions prior to 2026.2.0

Description Discourse, an open source discussion platform, had an issue where the move posts action did not properly validate write permissions on the destination topic. Specifically, the system only checked can move posts? on the source topic, failing to verify if the user had the necessary permissions to write to the destination topic. This allowed Trust Level 4 users and category group moderators to move posts into topics within categories where they lacked posting privileges, such as read-only categories or those with group-restricted write access.

Recommendations Update Discourse to version 2025.12.2 or later. Update Discourse to version 2026.1.1 or later. Update Discourse to version 2026.2.0 or later.