Improper access control in Discourse - CVE-2026-30888
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to modify site policy documents.
The vulnerability exists due to improper access control in the suspend/silence endpoint when handling an arbitrary post_id. A remote user can supply a crafted post_id to modify site policy documents.
The issue allows modification of the terms of service, guidelines, and privacy policy despite those documents being explicitly restricted from moderators.