CVE-2026-27152 in Discourse
Summary
by MITRE • 02/26/2026
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipient PM restrictions that are enforced during DM channel creation. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability described in CVE-2026-27152 affects Discourse, an open source discussion platform that serves as a collaborative forum for communities and organizations. This security flaw resides in the chat functionality of the platform, specifically within the Chat::AddUsersToChannel method that handles the addition of participants to existing direct message channels. The issue represents a significant bypass of intended access controls that are fundamental to user privacy and communication preferences within the platform's messaging system.
The technical flaw manifests as a failure in access control enforcement during the process of adding users to existing direct message channels. When users attempt to add members to DM channels through the Chat::AddUsersToChannel method, the system does not properly validate whether the target users have blocked, ignored, or muted the requesting user. This validation bypass occurs specifically during the modification of existing DM channels rather than during the initial creation of these channels where proper restrictions are enforced. The vulnerability essentially allows users to circumvent the communication preferences that are normally respected when creating new DM channels, enabling unwanted interactions between users despite their expressed preference to avoid communication.
The operational impact of this vulnerability extends beyond simple privacy concerns to potentially enable harassment, stalking, or unwanted communication patterns within the Discourse platform. Attackers could exploit this flaw to add users who have explicitly blocked them to existing direct message conversations, effectively bypassing the intended privacy controls. This creates a scenario where users can be forced into unwanted communication channels, undermining the trust and safety mechanisms that are fundamental to discussion platforms. The vulnerability affects the core messaging functionality and could be particularly problematic in environments where user safety and communication preferences are paramount, such as professional communities or sensitive discussion forums.
The fix for this vulnerability was implemented in versions 2025.12.2, 2026.1.1, and 2026.2.0 of the Discourse platform, which properly enforce the communication preference restrictions during the addition of users to existing DM channels. This patch addresses the root cause by ensuring that the Chat::AddUsersToChannel method performs proper validation against user preferences, preventing users from adding those who have blocked or muted them to existing direct message conversations. Organizations using Discourse should immediately upgrade to these patched versions to remediate the vulnerability, as no known workarounds exist to address this specific bypass issue.
From a cybersecurity perspective, this vulnerability aligns with CWE-668, which covers "Exposure of Resource to Wrong Sphere," as it allows unauthorized access to communication resources through improper access control validation. The issue also relates to ATT&CK technique T1566, "Phishing," as it could enable attackers to bypass user protections and force unwanted communication. The vulnerability demonstrates the importance of maintaining consistent access control enforcement throughout all phases of system operation rather than relying on initial validation points, particularly in communication platforms where user privacy and safety are critical considerations.