BIT-discourse-2026-26207

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-26207.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-discourse-2026-26207

Aliases

CVE-2026-26207
GHSA-jr4h-w6p5-w55r

Published

2026-03-03T13:29:06.818Z

Modified

2026-03-03T14:26:18.490471Z

Summary

DIscourse's discourse-policy plugin lacks post access check

Details

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, discourse-policy plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The PolicyController loads posts by ID without verifying the current user's access, enabling policy group members to accept/unaccept policies on posts in private categories or PMs they cannot see and any authenticated user to enumerate which post IDs have policies attached via differentiated error responses (information disclosure). The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by adding a guardian.can_see?(@post) check in the set_post before_action, ensuring post visibility is verified before any policy action is processed. As a workaround, disabling the discourse-policy plugin (policy_enabled = false) eliminates the vulnerability. There is no other workaround without upgrading.

Database specific

{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2025.12.2

Introduced

2026.1.0

Fixed

2026.1.1

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-26207.json"