CVE-2026-28227 PUBLISHED

Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category

Assigner: GitHub_M
Reserved: 25.02.2026 Published: 26.02.2026 Updated: 26.02.2026

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the publish_to_category topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
CVSS Score: 1.2

Product Status

Vendor discourse
Product discourse
Versions
  • Version < 2025.12.2 is affected
  • Version >= 2026.1.0-latest, < 2026.1.1 is affected
  • Version >= 2026.2.0-latest, < 2026.2.0 is affected

References

Problem Types

  • CWE-863: Incorrect Authorization CWE