Authorization bypass through user-controlled key in Discourse - CVE-2026-26973
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to modify reviewable notes on reviewables outside their authorized category scope.
The vulnerability exists due to improper access control in ReviewableNotesController when handling note creation or deletion requests for reviewables. A remote user can send a crafted request referencing any reviewable identifier to modify reviewable notes on reviewables outside their authorized category scope.
Only instances with the enable_category_group_moderation setting enabled are affected.