Improper access control in Discourse - CVE-2026-27491

 

Improper access control in Discourse - CVE-2026-27491

Published: July 1, 2026


Vulnerability identifier: #VU136135
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-27491
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to issue unauthorized warnings to other users.

The vulnerability exists due to improper access control in the post actions API endpoint when handling specifically crafted requests. A remote user can send a specifically crafted request to issue unauthorized warnings to other users.

Exploitation requires the attacker to be logged in. No data exposure or privilege escalation beyond creating unauthorized user warnings is possible.


How to mitigate CVE-2026-27491

Install security update from vendor's website.

Sources