CVE-2026-26207
Received Received - Intake
Authorization Bypass in Discourse-Policy Plugin Causes Data Exposure

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The `PolicyController` loads posts by ID without verifying the current user's access, enabling policy group members to accept/unaccept policies on posts in private categories or PMs they cannot see and any authenticated user to enumerate which post IDs have policies attached via differentiated error responses (information disclosure). The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by adding a `guardian.can_see?(@post)` check in the `set_post` before_action, ensuring post visibility is verified before any policy action is processed. As a workaround, disabling the discourse-policy plugin (`policy_enabled = false`) eliminates the vulnerability. There is no other workaround without upgrading.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26207
EUVD
EUVD-2026-8857
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
discourse discourse to 2025.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26207 is a moderate severity vulnerability in the discourse-policy plugin of Discourse. It occurs because the PolicyController loads posts by ID without verifying if the authenticated user has permission to view those posts.

This flaw allows policy group members to accept or unaccept policies on posts in private categories or private messages they are not authorized to see. Additionally, any authenticated user can enumerate which post IDs have policies attached by observing different error responses, leading to information disclosure.

The issue is fixed by adding a visibility check (`guardian.can_see?(@post)`) before any policy action is processed. Disabling the discourse-policy plugin entirely also eliminates the vulnerability.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to interact with policies on posts they should not have access to, such as posts in private categories or private messages.

It also enables any authenticated user to discover which posts have policies attached through information disclosure caused by differentiated error messages.

While it does not affect system availability, it poses risks to confidentiality and integrity by allowing limited unauthorized data disclosure and modification.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access to policy actions on posts that users cannot view and information disclosure through differentiated error responses. Detection would involve monitoring for unusual policy interactions by authenticated users on posts in private categories or private messages they should not access.'}, {'type': 'paragraph', 'content': "Since the vulnerability is related to the discourse-policy plugin's PolicyController loading posts without proper access checks, detection could include reviewing application logs for policy accept/unaccept actions performed by users on posts in private areas."}, {'type': 'paragraph', 'content': 'No specific commands or network detection signatures are provided in the available resources.'}] [1]

Mitigation Strategies

The primary mitigation is to upgrade the discourse-policy plugin to versions 2025.12.2, 2026.1.1, or 2026.2.0 where the vulnerability is patched by adding a visibility check (`guardian.can_see?(@post)`) before any policy action.

If upgrading is not immediately possible, the workaround is to disable the discourse-policy plugin entirely by setting `policy_enabled = false`. This eliminates the vulnerability but disables policy functionality.

No other workarounds are available without upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26207. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart