Improper access control in Discourse - CVE-2026-33426

 

Improper access control in Discourse - CVE-2026-33426

Published: July 1, 2026


Vulnerability identifier: #VU136347
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33426
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to modify hidden tags and create unauthorized tag synonyms.

The vulnerability exists due to improper access control in tag editing and tag synonym management when handling tag modification requests for hidden tags in restricted tag groups. A remote privileged user can edit a hidden tag or create a synonym for it to modify hidden tags and create unauthorized tag synonyms.

User interaction is required.


How to mitigate CVE-2026-33426

Install security update from vendor's website.

Sources