Missing Authorization in Discourse - CVE-2026-27151
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper access control in the move_posts action when moving posts between topics. A remote user can move posts into a destination topic without having write permissions there to bypass authorization checks.
This affects TL4 users and category group moderators, including cases involving read-only categories or categories with group-restricted write access.