Improper access control in Discourse - CVE-2026-26979

 

Improper access control in Discourse - CVE-2026-26979

Published: July 1, 2026


Vulnerability identifier: #VU136126
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-26979
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to modify the status of restricted topics.

The vulnerability exists due to improper access control in topic status management for private categories when handling requests to close, archive, or pin topics. A remote user can send a request to change the status of topics in private categories they do not have access to to modify the status of restricted topics.

The issue is limited to TL4 users.


How to mitigate CVE-2026-26979

Install security update from vendor's website.

Sources