Improper access control in Discourse - CVE-2026-27481
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in tag routes when handling requests for hidden tag data. A remote attacker can request staff-only tag routes to disclose sensitive information.
Only instances with tagging enabled and staff-only tag groups configured are vulnerable.