PT-2026-26379 · Discourse · Discourse Policy Plugin+1
Davidtaylorhq
·
Published
2026-03-19
·
Updated
2026-03-27
·
CVE-2026-29072
CVSS v4.0
8.2
High
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 2026.3.0-latest.1
Discourse versions prior to 2026.2.1
Discourse versions prior to 2026.1.2
Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups could create functional policy acceptance widgets in posts under certain conditions. The
policy enabled site setting controls the functionality of the discourse-policy plugin.Recommendations
Versions prior to 2026.3.0-latest.1: Update to version 2026.3.0-latest.1 or later.
Versions prior to 2026.2.1: Update to version 2026.2.1 or later.
Versions prior to 2026.1.2: Update to version 2026.1.2 or later.
As a workaround for all affected versions, disable the
discourse-policy plugin by disabling the policy enabled site setting.Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse
Discourse Policy Plugin