14 matches found
CVE-2026-33291 Discourse user can create Zendesk tickets even when it does not have access to topic
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators can create Zendesk tickets for topics they do not have access to view. This affects all forums that use the Zendesk plugin. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2...
CVE-2026-28282
Discourse security advisory: A vulnerability in the discourse-policy plugin allows a user with policy creation permission to gain membership in private/restricted groups. Affected versions are prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. Exploitation would let the user read private topics ...
BIT-DISCOURSE-2026-26979 Discourse: TL4 users are able to change status of restricted topics
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available...
CVE-2026-27151 Discourse doesn't validate destination topic when moving posts
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the moveposts action only checked canmoveposts? on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category group moderators to move...
CVE-2026-26979 Discourse: TL4 users are able to change status of restricted topics
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available...
CVE-2026-26979
CVE-2026-26979 affects Discourse: TL4 users can close, archive, or pin topics in private categories they lack access to. Fixed in versions 2025.12.2, 2026.1.1, and 2026.2.0. Impact is unauthorized topic status changes with LOW severity (CVSS 3.1: none certain, I=LOW). No workarounds are reported....
CVE-2026-26979 Discourse: TL4 users are able to change status of restricted topics
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available...
CVE-2025-58055
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topicid...
CVE-2025-58055
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topicid...
CVE-2025-58055
Discourse vulnerability CVE-2025-58055 affects version 3.5.0 and earlier, where AI suggestion endpoints for Title, Category, and Tags can disclose information from restricted topics by altering topic_id in API requests. The root cause is improper access control at the AI helper endpoints, enablin...
CVE-2025-58055 Discourse AI Suggestions Contain Insecure Direct Object Reference
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topicid...
PT-2025-40289
Name of the Vulnerable Software and Affected Versions Discourse versions 3.5.0 and below Description Discourse, an open-source community discussion platform, had an issue where authenticated users could access information about topics they were not authorized to view. This occurred through the AI...
Discourse 3.1.x < 3.1.0.beta2 Multiple Vulnerabilities
Discourse is prone to multiple vulnerabilities SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:discourse:discourse"; ifdescriptio...
PT-2022-26174 · Discourse · Discourse
Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 2.8.12 Discourse versions prior to 2.9.0.beta13 Description: Discourse is an open-source discussion platform. Under certain conditions, a user can see notifications for topics they no longer have access to,...