BIT-discourse-2026-29072

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-29072.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-discourse-2026-29072

Aliases

CVE-2026-29072
GHSA-7ph8-vprq-4jrp

Published

2026-03-27T07:10:21.008Z

Modified

2026-04-02T13:26:22.134011009Z

Summary

Discourse missing permission check for policy creation in discourse-policy

Details

Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the discourse-policy plugin by disabling the policy_enabled site setting.

Database specific

{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*"
    ]
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

2026.1.0

Fixed

2026.1.2

Introduced

2026.2.0

Fixed

2026.2.1

Introduced

2026.3.0

Fixed

2026.4.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2026-29072.json"