Improper access control in Discourse - CVE-2026-26207
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and modify policy state on posts they are not authorized to view.
The vulnerability exists due to improper access control in the PolicyController when handling policy actions for posts loaded by ID. A remote user can send crafted requests referencing post IDs to disclose sensitive information and modify policy state on inaccessible posts.
Differentiated error responses can reveal which post IDs have policies attached, and the issue affects posts in private categories and private messages.