Improper access control in Discourse - CVE-2026-28227
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to bypass authorization checks and create topics in staff-only categories.
The vulnerability exists due to improper access control in the `publish_to_category` topic timer when publishing topics into staff-only categories. A remote user can use the `publish_to_category` topic timer to bypass authorization checks and create topics in staff-only categories.
The issue affects TL4 users.