CVE-2026-26979

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-9c7p-fqc5-c24f	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2026.2.0::::latest:::

History

02 Mar 2026, 21:34

Type	Values Removed	Values Added
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-9c7p-fqc5-c24f -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-9c7p-fqc5-c24f - Vendor Advisory
CPE		cpe:2.3:a:discourse:discourse:::::::: cpe:2.3:a:discourse:discourse:2026.2.0::::latest:::
First Time		Discourse Discourse discourse
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 2.7

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) Discourse es una plataforma de discusión de código abierto. Antes de las versiones 2025.12.2, 2026.1.1 y 2026.2.0, los usuarios TL4 pueden cerrar, archivar y fijar temas en categorías privadas a las que no tienen acceso. Las versiones 2025.12.2, 2026.1.1 y 2026.2.0 parchean el problema. No hay soluciones alternativas conocidas disponibles.

26 Feb 2026, 20:31

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-26 20:31

Updated : 2026-03-02 21:34

NVD link : CVE-2026-26979

Mitre link : CVE-2026-26979

CVE.ORG link : CVE-2026-26979

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-26979", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 0.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T20:31:37.833", "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-9c7p-fqc5-c24f", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Antes de las versiones 2025.12.2, 2026.1.1 y 2026.2.0, los usuarios TL4 pueden cerrar, archivar y fijar temas en categor\u00edas privadas a las que no tienen acceso. Las versiones 2025.12.2, 2026.1.1 y 2026.2.0 parchean el problema. No hay soluciones alternativas conocidas disponibles."}], "lastModified": "2026-03-02T21:34:00.793", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DB837D7-28C8-4E0F-B55F-AAAA36F32035", "versionEndExcluding": "2025.12.0"}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CAFCC9D-53D7-4017-85A5-EE6CA5A6A11C", "versionEndExcluding": "2026.1.1", "versionStartIncluding": "2026.1.0"}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*", "vulnerable": true, "matchCriteriaId": "BB002FDC-BC71-4C46-8AAF-A34EC717E0E7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}