CVE-2026-27454 in Discourse
Summary
by MITRE • 03/20/2026
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, requesting /posts/:id.json?version=X bypassed authorization checks on post revisions. The display_post method called post.revert_to directly without verifying whether the revision was hidden or if the user had permission to view edit history. This meant hidden revisions (intentionally concealed by staff) could be read by any user by simply enumerating version numbers. Starting in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, Discourse looks up the PostRevision and call guardian.ensure_can_see! before reverting, consistent with how the /posts/:id/revisions/:revision endpoint already authorizes access. No known workarounds are available.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
This vulnerability affects Discourse, an open-source discussion platform, and represents a critical authorization bypass flaw that allows unauthorized access to hidden post revisions. The vulnerability exists in versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 where the display_post method fails to properly validate user permissions before allowing access to post revision history. The technical implementation flaw occurs when users request specific post revisions through the /posts/:id.json?version=X endpoint, bypassing existing authorization controls that should prevent access to hidden content.
The core issue stems from the absence of proper access control validation within the post.revert_to method execution path. When a user attempts to access a specific revision by version number, the system directly calls post.revert_to without first verifying whether the target revision is marked as hidden or whether the requesting user possesses adequate permissions to view the edit history. This design flaw creates a path where any authenticated user can enumerate revision numbers and access content that staff members intentionally concealed from public view. The vulnerability specifically targets the authorization mechanism that should protect sensitive revision data, allowing attackers to bypass intended access controls through simple parameter manipulation.
From an operational impact perspective, this vulnerability exposes sensitive information that administrators may have deliberately hidden from users. Hidden revisions typically contain potentially sensitive content, draft versions, or edits that staff members wish to keep confidential until proper publication. The ability to enumerate and access these revisions undermines the platform's content management controls and could lead to information disclosure of private communications, draft policies, or other confidential materials that should remain hidden. This represents a significant breach of data confidentiality and access control principles that could compromise user privacy and organizational information security.
The vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and demonstrates a clear failure in implementing proper access controls for privileged content. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1078.004, which involves gaining access through valid accounts with restricted access, since unauthorized users can leverage legitimate access to enumerate and access hidden content through the API endpoint. The fix implemented in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 addresses this by introducing proper authorization checks through the guardian.ensure_can_see! method call, which validates that users have appropriate permissions before allowing access to post revisions. This change ensures that the same authorization controls applied to the /posts/:id/revisions/:revision endpoint are consistently enforced across all revision access paths.
Organizations running affected Discourse versions should immediately upgrade to the patched releases to mitigate this vulnerability. The lack of known workarounds means that administrators cannot implement temporary fixes or configuration changes to address the issue. Security teams should conduct thorough audits of post revision history to identify any unauthorized access that may have occurred during the vulnerability window. Additionally, monitoring for unusual access patterns in the API endpoints related to post revisions should be implemented as part of ongoing security operations. The vulnerability demonstrates the critical importance of consistent authorization enforcement across all code paths that handle privileged content, particularly in collaborative platforms where content management and access control are fundamental security requirements.