PT-2026-22196 · Discourse · Discourse
Davidtaylorhq
·
Published
2026-02-26
·
Updated
2026-03-03
·
CVE-2026-28219
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 2025.12.2
Discourse versions prior to 2026.1.1
Discourse versions prior to 2026.2.0
Description
An improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. A regular user can elevate a topic’s status to a site-wide notice or banner by manipulating specific parameters in a PUT or POST request, bypassing intended administrative restrictions. This bypass occurs due to insufficient validation when processing requests related to topic attributes.
Recommendations
Update Discourse to version 2025.12.2 or later.
Update Discourse to version 2026.1.1 or later.
Update Discourse to version 2026.2.0 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse