Improper access control in Discourse - CVE-2026-27491
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to issue unauthorized warnings to other users.
The vulnerability exists due to improper access control in the post actions API endpoint when handling specifically crafted requests. A remote user can send a specifically crafted request to issue unauthorized warnings to other users.
Exploitation requires the attacker to be logged in. No data exposure or privilege escalation beyond creating unauthorized user warnings is possible.