CVE-2026-26207 in Discourse
Summary
by MITRE • 02/26/2026
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The `PolicyController` loads posts by ID without verifying the current user's access, enabling policy group members to accept/unaccept policies on posts in private categories or PMs they cannot see and any authenticated user to enumerate which post IDs have policies attached via differentiated error responses (information disclosure). The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by adding a `guardian.can_see?(@post)` check in the `set_post` before_action, ensuring post visibility is verified before any policy action is processed. As a workaround, disabling the discourse-policy plugin (`policy_enabled = false`) eliminates the vulnerability. There is no other workaround without upgrading.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability described in CVE-2026-26207 affects Discourse, an open source discussion platform, specifically targeting the discourse-policy plugin functionality. This issue represents a critical access control flaw that undermines the platform's security model by allowing authenticated users to bypass normal permission boundaries. The vulnerability exists in versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, where the policy management system fails to properly validate user permissions before processing policy-related actions on posts.
The technical flaw resides in the PolicyController implementation which retrieves posts by their identifiers without performing proper access verification. This design flaw enables unauthorized access to policy operations through a simple ID-based lookup mechanism that does not consider user permissions or category restrictions. The vulnerability manifests in two primary ways: first, policy group members can accept or reject policies on posts within private categories or private messages they should not be able to access, and second, any authenticated user can enumerate post IDs that have policies attached by observing different error responses returned by the system. This information disclosure aspect significantly weakens the platform's security posture by providing attackers with insights into the platform's content structure and policy distribution.
The operational impact of this vulnerability extends beyond simple privilege escalation to include comprehensive information gathering capabilities that could be exploited by malicious actors. Attackers can systematically enumerate post IDs with policies attached, potentially identifying sensitive content or private discussions that should remain hidden from unauthorized users. The vulnerability affects the core security model of Discourse by allowing users to interact with content they should not be able to view, effectively creating a backdoor for accessing private information. This issue particularly impacts platforms that rely on Discourse for sensitive discussions, private messaging, or community management where access controls are paramount for maintaining user privacy and data security.
The patch implemented in versions 2025.12.2, 2026.1.1, and 2026.2.0 addresses the vulnerability through a defensive programming approach that adds proper access validation in the set_post before_action method. The solution incorporates a guardian.can_see?(@post) check that ensures post visibility is verified before any policy action is processed, aligning with established security principles that advocate for least privilege access controls. This fix directly addresses the root cause by implementing proper authorization checks at the point of access rather than relying on implicit permission models. The mitigation strategy follows the principle of defense in depth by adding an explicit access control layer that prevents unauthorized policy operations on content the user should not be able to view.
The workaround of disabling the discourse-policy plugin through setting policy_enabled = false provides a temporary solution for organizations unable to upgrade immediately, though this approach eliminates the policy functionality entirely. This limitation highlights the importance of proper vulnerability management and patch deployment strategies in maintaining secure software environments. Organizations using Discourse should prioritize upgrading to the patched versions to ensure comprehensive protection against this vulnerability. The issue demonstrates the critical importance of access control validation in web applications and aligns with CWE-284 (Improper Access Control) and ATT&CK techniques related to privilege escalation and information gathering. This vulnerability serves as a reminder of the necessity for thorough security testing of plugin systems and the potential risks that third-party components can introduce into open source platforms.