Improper access control in Discourse - CVE-2026-33426
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to modify hidden tags and create unauthorized tag synonyms.
The vulnerability exists due to improper access control in tag editing and tag synonym management when handling tag modification requests for hidden tags in restricted tag groups. A remote privileged user can edit a hidden tag or create a synonym for it to modify hidden tags and create unauthorized tag synonyms.
User interaction is required.