CVE-2026-27935 in Discourse
Summary
by MITRE • 03/20/2026
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/24/2026
This vulnerability exists within the Discourse open-source discussion platform where improper access control mechanisms allow moderator users to gain unauthorized access to private topic metadata that belongs to admin users. The flaw specifically affects API endpoints that handle topic metadata retrieval, creating a privilege escalation scenario where users with lower administrative privileges can obtain sensitive information that should remain restricted to authorized administrators. This represents a critical breakdown in the platform's security model where role-based access controls fail to properly enforce data isolation between different user tiers. The vulnerability impacts versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, indicating a persistent issue that required significant architectural changes to resolve properly.
The technical implementation flaw stems from inadequate authorization checks within the API endpoint handling topic metadata requests. When moderator users make requests to retrieve topic information, the system fails to validate whether the requesting user has proper clearance to access the specific topic metadata in question. This oversight allows the system to return private topic information including subject matter, creation timestamps, author details, and potentially other metadata fields that should remain confidential to administrators and topic owners only. The vulnerability manifests as a direct information disclosure issue where sensitive metadata flows to unauthorized users through the API interface without proper authentication verification.
The operational impact of this vulnerability is severe as it enables unauthorized information gathering that could lead to targeted attacks, social engineering campaigns, or strategic planning by malicious actors. Moderators who exploit this vulnerability can gain insights into admin activities, sensitive discussions, and potentially identify security gaps in the platform's administrative operations. This information disclosure could facilitate more sophisticated attacks such as credential harvesting, targeted phishing attempts, or exploitation of admin-specific vulnerabilities. The breach undermines the trust model of the platform and could result in compliance violations for organizations using Discourse in regulated environments where data protection is mandatory.
Organizations utilizing affected versions of Discourse must immediately upgrade to patched versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 to remediate this vulnerability. The lack of known workarounds means that administrators cannot implement temporary fixes while waiting for official patches. Security teams should conduct comprehensive audits of their Discourse installations to identify affected versions and ensure all instances are updated promptly. The vulnerability aligns with CWE-284, which addresses improper access control in software systems, and represents a clear violation of the principle of least privilege that should govern all access control mechanisms. This issue also maps to ATT&CK technique T1078 for Valid Accounts and T1566 for Phishing, as unauthorized access to administrative metadata could enable more sophisticated attack vectors. Organizations should implement monitoring for unusual API access patterns that might indicate exploitation attempts and consider conducting penetration testing to verify the effectiveness of the applied patches.