Authorization bypass through user-controlled key in Discourse - CVE-2026-26973

 

Authorization bypass through user-controlled key in Discourse - CVE-2026-26973

Published: July 1, 2026


Vulnerability identifier: #VU136123
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-26973
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to modify reviewable notes on reviewables outside their authorized category scope.

The vulnerability exists due to improper access control in ReviewableNotesController when handling note creation or deletion requests for reviewables. A remote user can send a crafted request referencing any reviewable identifier to modify reviewable notes on reviewables outside their authorized category scope.

Only instances with the enable_category_group_moderation setting enabled are affected.


How to mitigate CVE-2026-26973

Install security update from vendor's website.

Sources