CVE-2026-27491

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2

Description Discourse is an open-source discussion platform. A type coercion issue exists in a post actions API endpoint. This issue allowed non-staff users to issue warnings to other users, a feature normally restricted to staff. Exploitation required a logged-in attacker to send a specifically crafted request to the /post actions API endpoint. The vulnerable parameter is not specified. No data exposure or privilege escalation beyond unauthorized user warnings was possible.

Recommendations Update Discourse to version 2026.3.0-latest.1 or later. Update Discourse to version 2026.2.1 or later. Update Discourse to version 2026.1.2 or later.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BIT-DISCOURSE-2026-27491

CVE-2026-27491

GHSA-XQ37-5FVF-4M4J

Affected Products

Discourse

CVE-2026-27491

Weakness Enumeration

Related Identifiers

Affected Products

References · 11