PT-2026-26371 · Discourse · Discourse
Davidtaylorhq
·
Published
2026-03-19
·
Updated
2026-03-27
·
CVE-2026-27935
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 2026.3.0-latest.1
Discourse versions prior to 2026.2.1
Discourse versions prior to 2026.1.2
Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a flaw in an API endpoint. This endpoint allows the disclosure of private topic metadata belonging to administrator users to moderator users, even when those moderators do not have authorized access to the private topics. The affected API endpoint exposes sensitive information.
Recommendations
Update Discourse to version 2026.3.0-latest.1 or later.
Update Discourse to version 2026.2.1 or later.
Update Discourse to version 2026.1.2 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse