Missing Authorization in Discourse - CVE-2026-27150
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in Data Explorer's QueryGroupBookmarkable when creating query group bookmarks. A remote user can create a bookmark for a query group they do not have access to in order to disclose sensitive information.
Exploitation can expose query group metadata through bookmark reminder notifications.