Improper access control in Discourse - CVE-2026-32615

 

Improper access control in Discourse - CVE-2026-32615

Published: July 1, 2026


Vulnerability identifier: #VU136152
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32615
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to perform privileged actions on topics in restricted categories without read access.

The vulnerability exists due to improper access control in category group moderator permissions when accessing topics in private categories without read access. A remote user can perform moderator actions on those topics to perform privileged actions on topics in restricted categories without read access.


How to mitigate CVE-2026-32615

Install security update from vendor's website.

Sources