CVE-2026-27151 in Discourse
Summary
by MITRE • 02/26/2026
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category group moderators to move posts into topics in categories where they lack posting privileges (e.g., read-only categories or categories with group-restricted write access). Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability described in CVE-2026-27151 affects Discourse, an open source discussion platform that serves as a collaborative forum system for communities and organizations. This security flaw represents a critical authorization bypass issue that undermines the platform's permission model and access controls. The vulnerability specifically impacts versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, indicating a regression or oversight in the platform's security implementation that allowed unauthorized users to manipulate content across different categories within the discussion system.
The technical flaw resides in the `move_posts` action implementation where the system performed validation checks on the source topic using the `can_move_posts?` method but completely omitted validation of write permissions on the destination topic. This represents a classic authorization gap where the system assumes that if a user can move posts from one location, they should automatically be able to place those posts anywhere else without additional permission checks. The flaw stems from inadequate access control validation that fails to enforce the principle of least privilege, where users should only have access to resources commensurate with their assigned permissions.
The operational impact of this vulnerability is significant for organizations relying on Discourse for community management and collaboration. Users with TL4 privileges and category group moderators can exploit this weakness to move content into categories where they would normally lack write access, potentially including read-only categories or those with group-restricted posting permissions. This creates a scenario where unauthorized content insertion can occur, potentially leading to information disclosure, data integrity issues, or the injection of inappropriate content into protected discussion areas. The vulnerability essentially allows privilege escalation through content manipulation, undermining the platform's ability to maintain secure and controlled access to different discussion categories.
From a cybersecurity perspective, this vulnerability aligns with CWE-285 (Improper Authorization) and represents an authorization bypass that could be leveraged by attackers to gain unauthorized access to restricted areas of the platform. The issue also maps to ATT&CK technique T1078 (Valid Accounts) and potentially T1566 (Phishing) if the vulnerability is exploited through social engineering to gain initial access. Organizations using Discourse must urgently upgrade to the patched versions 2025.12.2, 2026.1.1, or 2026.2.0 to remediate this vulnerability. The lack of known workarounds means that administrators cannot implement temporary mitigations and must rely entirely on the official patches. This vulnerability demonstrates the critical importance of comprehensive permission validation in multi-tenant systems where users may have varying levels of access across different content areas, emphasizing that all resource operations should validate both source and destination permissions to maintain proper access controls and prevent unauthorized data manipulation.