CVE-2026-28218

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2025.12.2 Discourse versions prior to 2026.1.1 Discourse versions prior to 2026.2.0

Description Discourse is an open source discussion platform. A flaw exists in the Data Explorer plugin's access control mechanism where it fails open. This allows any authenticated user to execute SQL queries, including built-in system queries, that lack explicit group assignments. The Data Explorer plugin is affected. The vulnerable functionality allows execution of SQL queries via the plugin.

Recommendations Versions prior to 2025.12.2: Apply the update to version 2025.12.2 or later. Versions prior to 2026.1.1: Apply the update to version 2026.1.1 or later. Versions prior to 2026.2.0: Apply the update to version 2026.2.0 or later. As a temporary workaround, explicitly set group permissions on each Data Explorer query that doesn't have permissions. As a temporary workaround, disable the discourse-data-explorer plugin.