SB2026070155 - Multiple vulnerabilities in Discourse



SB2026070155 - Multiple vulnerabilities in Discourse

Published: July 1, 2026

Security Bulletin ID SB2026070155
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 12
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 25% Low 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 12 vulnerabilities.


1) Incorrect authorization (CVE-ID: CVE-2026-27153)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the CSV export endpoint when exporting entities. A remote user can export user chat direct messages to disclose sensitive information.

The issue is caused by an overly permissive allowlist in can_export_entity? that allowed moderators to export entities not explicitly blocked.


2) Improper access control (CVE-ID: CVE-2026-27152)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass communication preferences and add users to an existing direct message channel.

The vulnerability exists due to improper access control in Chat::AddUsersToChannel when adding members to an existing direct message channel. A remote user can add targets who have blocked, ignored, or muted them to bypass per-recipient private message restrictions.

The issue affects restrictions that are enforced during direct message channel creation but not when members are added later.


3) Improper access control (CVE-ID: CVE-2026-26207)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information and modify policy state on posts they are not authorized to view.

The vulnerability exists due to improper access control in the PolicyController when handling policy actions for posts loaded by ID. A remote user can send crafted requests referencing post IDs to disclose sensitive information and modify policy state on inaccessible posts.

Differentiated error responses can reveal which post IDs have policies attached, and the issue affects posts in private categories and private messages.


4) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-26265)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the directory items endpoint when handling requests with the user_field_ids parameter. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue exposes private user field values for users in the directory, including fields intended to remain non-public.


5) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-26973)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify reviewable notes on reviewables outside their authorized category scope.

The vulnerability exists due to improper access control in ReviewableNotesController when handling note creation or deletion requests for reviewables. A remote user can send a crafted request referencing any reviewable identifier to modify reviewable notes on reviewables outside their authorized category scope.

Only instances with the enable_category_group_moderation setting enabled are affected.


6) Improper access control (CVE-ID: CVE-2026-27021)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the poll voters endpoint when handling requests for poll voter details. A remote user can request voter details for polls in posts they are not authorized to view to disclose sensitive information.


7) Missing Authentication for Critical Function (CVE-ID: CVE-2026-26078)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to modify or delete Patreon pledge data and trigger patron-to-group synchronization.

The vulnerability exists due to improper authentication in the Patreon plugin webhook endpoint when handling webhook requests with a blank patreon_webhook_secret site setting. A remote attacker can send a specially crafted webhook payload with a forged signature to modify or delete Patreon pledge data and trigger patron-to-group synchronization.

Exploitation is possible only when the patreon_webhook_secret site setting is left empty.


8) Improper access control (CVE-ID: CVE-2026-26979)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify the status of restricted topics.

The vulnerability exists due to improper access control in topic status management for private categories when handling requests to close, archive, or pin topics. A remote user can send a request to change the status of topics in private categories they do not have access to to modify the status of restricted topics.

The issue is limited to TL4 users.


9) Improper access control (CVE-ID: CVE-2026-28218)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute SQL queries.

The vulnerability exists due to improper access control in the Data Explorer plugin when handling queries without explicit group assignments. A remote user can execute a query with no explicit group assignments to execute SQL queries.

This includes built-in system queries.


10) Missing Authentication for Critical Function (CVE-ID: CVE-2026-26077)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper access control in webhook endpoints in the WebhooksController when handling webhook requests without a configured authentication token. A remote attacker can send forged webhook payloads to cause a denial of service.

The issue affects the SendGrid, Mailjet, Mandrill, Postmark, SparkPost, and Mailpace webhook endpoints, and can artificially inflate user bounce scores so legitimate user emails may be disabled.


11) Improper access control (CVE-ID: CVE-2026-28227)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass authorization checks and create topics in staff-only categories.

The vulnerability exists due to improper access control in the `publish_to_category` topic timer when publishing topics into staff-only categories. A remote user can use the `publish_to_category` topic timer to bypass authorization checks and create topics in staff-only categories.

The issue affects TL4 users.


12) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-28219)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify privileged topic attributes.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the topic management logic when handling crafted PUT or POST requests. A remote user can manipulate specific parameters to modify privileged topic attributes.

This can allow a regular authenticated user to set a topic as a site-wide notice or banner, bypassing intended administrative restrictions.


Remediation

Install update from vendor's website.