Improper access control in Discourse - CVE-2026-27152
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to bypass communication preferences and add users to an existing direct message channel.
The vulnerability exists due to improper access control in Chat::AddUsersToChannel when adding members to an existing direct message channel. A remote user can add targets who have blocked, ignored, or muted them to bypass per-recipient private message restrictions.
The issue affects restrictions that are enforced during direct message channel creation but not when members are added later.