Improper access control in Discourse - CVE-2026-26979
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to modify the status of restricted topics.
The vulnerability exists due to improper access control in topic status management for private categories when handling requests to close, archive, or pin topics. A remote user can send a request to change the status of topics in private categories they do not have access to to modify the status of restricted topics.
The issue is limited to TL4 users.