Improper access control in Discourse - CVE-2026-30888

 

Improper access control in Discourse - CVE-2026-30888

Published: July 1, 2026


Vulnerability identifier: #VU136271
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-30888
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to modify site policy documents.

The vulnerability exists due to improper access control in the suspend/silence endpoint when handling an arbitrary post_id. A remote user can supply a crafted post_id to modify site policy documents.

The issue allows modification of the terms of service, guidelines, and privacy policy despite those documents being explicitly restricted from moderators.


How to mitigate CVE-2026-30888

Install security update from vendor's website.

Sources