CVE-2026-27152

CVSS v3.1

3.8

Low

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2025.12.2 Discourse versions prior to 2026.1.1 Discourse versions prior to 2026.2.0

Description Discourse, an open source discussion platform, had a flaw where a user could add targets who had blocked, ignored, or muted them to an existing direct message (DM) channel. This bypassed per-recipient private message restrictions normally enforced when creating DM channels. The issue occurred when adding members via the Chat::AddUsersToChannel function.

Recommendations Upgrade to Discourse version 2025.12.2 or later. Upgrade to Discourse version 2026.1.1 or later. Upgrade to Discourse version 2026.2.0 or later.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

BIT-DISCOURSE-2026-27152

CVE-2026-27152

GHSA-F8FF-PXG3-7967

Affected Products

Discourse

CVE-2026-27152

Weakness Enumeration

Related Identifiers

Affected Products

References · 9