CVE-2026-28282

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add	Patch
https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b	Patch
https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951	Patch
https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2026.3.0::::latest:::

History

23 Mar 2026, 20:16

Type	Values Removed	Values Added
CPE		cpe:2.3:a:discourse:discourse:2026.3.0::::latest::: cpe:2.3:a:discourse:discourse::::::::
First Time		Discourse Discourse discourse
Summary		(es) Discourse es una plataforma de discusión de código abierto. Las versiones anteriores a 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 tienen una falla de seguridad en el plugin discourse-policy que permitía a un usuario con permiso de creación de políticas obtener acceso de membresía a cualquier grupo privado/restringido. Una vez que se ha obtenido la membresía a un grupo privado/restringido, el usuario podrá leer temas privados a los que solo el grupo tiene acceso. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche. Como solución alternativa, revise todas las políticas para el uso de 'add-users-to-group' y elimine temporalmente el atributo de la política. Alternativamente, deshabilite el plugin discourse-policy deshabilitando la configuración del sitio 'policy_enabled'.
References	~~() https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add -~~	() https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add - Patch
References	~~() https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b -~~	() https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b - Patch
References	~~() https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951 -~~	() https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951 - Patch
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

19 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 22:16

Updated : 2026-03-23 20:16

NVD link : CVE-2026-28282

Mitre link : CVE-2026-28282

CVE.ORG link : CVE-2026-28282

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-863

Incorrect Authorization

6.5 /10