Improper access control in Discourse - CVE-2026-26207

 

Improper access control in Discourse - CVE-2026-26207

Published: July 1, 2026


Vulnerability identifier: #VU136121
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-26207
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify policy state on posts they are not authorized to view.

The vulnerability exists due to improper access control in the PolicyController when handling policy actions for posts loaded by ID. A remote user can send crafted requests referencing post IDs to disclose sensitive information and modify policy state on inaccessible posts.

Differentiated error responses can reveal which post IDs have policies attached, and the issue affects posts in private categories and private messages.


How to mitigate CVE-2026-26207

Install security update from vendor's website.

Sources