Improper access control in Discourse - CVE-2026-32615
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to perform privileged actions on topics in restricted categories without read access.
The vulnerability exists due to improper access control in category group moderator permissions when accessing topics in private categories without read access. A remote user can perform moderator actions on those topics to perform privileged actions on topics in restricted categories without read access.