CVE-2026-21865

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.5.4 Discourse versions prior to 2025.11.2 Discourse versions prior to 2025.12.1 Discourse versions prior to 2026.1.0

Description Discourse is an open source discussion platform. Moderators may be able to convert personal messages to public topics when they should not have access. As a temporary workaround, site administrators can revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance is upgraded to a patched version.

Recommendations Upgrade to Discourse version 3.5.4 or later. Upgrade to Discourse version 2025.11.2 or later. Upgrade to Discourse version 2025.12.1 or later. Upgrade to Discourse version 2026.1.0 or later. As a temporary workaround, revoke the moderation role from untrusted moderators. As a temporary workaround, remove the moderator group from the "personal message enabled groups" site setting.