CVE-2026-26207
Authorization Bypass in Discourse-Policy Plugin Causes Data Exposure
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.1 (exc) |
| discourse | discourse | 2026.2.0 |
| discourse | discourse | to 2025.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26207 is a moderate severity vulnerability in the discourse-policy plugin of Discourse. It occurs because the PolicyController loads posts by ID without verifying if the authenticated user has permission to view those posts.
This flaw allows policy group members to accept or unaccept policies on posts in private categories or private messages they are not authorized to see. Additionally, any authenticated user can enumerate which post IDs have policies attached by observing different error responses, leading to information disclosure.
The issue is fixed by adding a visibility check (`guardian.can_see?(@post)`) before any policy action is processed. Disabling the discourse-policy plugin entirely also eliminates the vulnerability.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to interact with policies on posts they should not have access to, such as posts in private categories or private messages.
It also enables any authenticated user to discover which posts have policies attached through information disclosure caused by differentiated error messages.
While it does not affect system availability, it poses risks to confidentiality and integrity by allowing limited unauthorized data disclosure and modification.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access to policy actions on posts that users cannot view and information disclosure through differentiated error responses. Detection would involve monitoring for unusual policy interactions by authenticated users on posts in private categories or private messages they should not access.'}, {'type': 'paragraph', 'content': "Since the vulnerability is related to the discourse-policy plugin's PolicyController loading posts without proper access checks, detection could include reviewing application logs for policy accept/unaccept actions performed by users on posts in private areas."}, {'type': 'paragraph', 'content': 'No specific commands or network detection signatures are provided in the available resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the discourse-policy plugin to versions 2025.12.2, 2026.1.1, or 2026.2.0 where the vulnerability is patched by adding a visibility check (`guardian.can_see?(@post)`) before any policy action.
If upgrading is not immediately possible, the workaround is to disable the discourse-policy plugin entirely by setting `policy_enabled = false`. This eliminates the vulnerability but disables policy functionality.
No other workarounds are available without upgrading.