CVE-2026-29072 in Discourse
Summary
by MITRE • 03/20/2026
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-29072 affects Discourse, an open-source discussion platform that serves as a collaborative forum system for communities and organizations. This security flaw represents a privilege escalation issue that allows unauthorized users to bypass intended access controls within the platform's policy management system. The vulnerability specifically impacts versions prior to the patched releases of 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, indicating that the Discourse development team identified and addressed this issue through targeted updates to their software versions.
The technical nature of this vulnerability stems from inadequate authorization controls within the policy creation functionality of the Discourse platform. Under normal operating conditions, the system should restrict the ability to create functional policy acceptance widgets to specific user groups that have been explicitly granted permission through the platform's access control policies. However, this flaw allows users who are not members of the designated policy creation groups to create and utilize these widgets under certain predetermined conditions, effectively undermining the intended security boundaries of the platform.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential data integrity and compliance risks within organizations using Discourse. Policy acceptance widgets typically serve as mechanisms for collecting user consent or agreement to terms of service, privacy policies, or other regulatory requirements. When unauthorized users can create these widgets, they may be able to manipulate or bypass legitimate policy enforcement mechanisms, potentially leading to situations where organizations cannot properly demonstrate compliance with regulatory requirements or maintain proper audit trails of user agreements.
From a cybersecurity perspective, this vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems. The flaw demonstrates a failure in implementing proper access control mechanisms, allowing users to perform actions outside their designated permissions. The ATT&CK framework would categorize this vulnerability under privilege escalation techniques, specifically as a method for bypassing access control restrictions within the application. Organizations utilizing Discourse should consider this vulnerability as part of their broader security posture assessment, particularly in environments where policy compliance and user agreement tracking are critical requirements.
The patched versions of Discourse address this issue through proper authorization enforcement mechanisms that ensure only users belonging to designated policy creation groups can generate functional policy acceptance widgets. The recommended workaround of disabling the discourse-policy plugin through the `policy_enabled` site setting provides an immediate mitigation strategy for organizations unable to update their systems immediately. This approach effectively neutralizes the vulnerability by preventing the creation of policy acceptance widgets altogether, though it may impact legitimate use cases that require policy management functionality. Organizations should carefully evaluate their specific requirements for policy acceptance features and implement the appropriate remediation based on their operational needs and security requirements.