CVE-2026-26973
Received Received - Intake
IDOR in Discourse ReviewableNotesController Allows Unauthorized Note Modification

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belonging to a category moderation group can create or delete their own notes on **any** reviewable in the system, including reviewables in categories they do not moderate. The controller used an unscoped `Reviewable.find` and the `ensure_can_see` guard only checked whether the user could access the review queue in general, not whether they could access the specific reviewable. Only instances with `enable_category_group_moderation` enabled are affected. Staff users (admins/moderators) are not impacted as they already have access to all reviewables. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by scoping the reviewable lookup through `Reviewable.viewable_by(current_user)`. As a workaround, disable the `enable_category_group_moderation` site setting. This removes the attack surface as only staff users will have access to the review queue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26973
EUVD
EUVD-2026-8878
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
discourse discourse to 2025.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26973 is an Insecure Direct Object Reference (IDOR) vulnerability in the Discourse platform, specifically in the ReviewableNotesController.

This vulnerability occurs when the site setting `enable_category_group_moderation` is enabled. Under this condition, a user who belongs to a category moderation group can create or delete their own notes on any reviewable item in the system, including those in categories they do not moderate.

The root cause is that the controller uses an unscoped `Reviewable.find` method, and the `ensure_can_see` guard only checks if the user can access the review queue in general, not whether they have permission to access the specific reviewable item.

Staff users such as admins and moderators are not impacted because they already have access to all reviewables.

The vulnerability is patched by scoping the reviewable lookup through `Reviewable.viewable_by(current_user)`, ensuring users can only access reviewables they are authorized to see.

As a workaround, disabling the `enable_category_group_moderation` site setting removes the attack surface by restricting review queue access to staff users only.

Impact Analysis

This vulnerability allows users in category moderation groups to create or delete their own notes on any reviewable item in the system, including those in categories they do not moderate.

This means unauthorized users can modify notes on reviewables they should not have access to, leading to unauthorized modification of data.

The impact is limited to integrity, as confidentiality and availability are not affected.

The vulnerability has a moderate severity with a CVSS v3.1 base score of 4.3, indicating it is relatively easy to exploit remotely with low privileges required and no user interaction needed.

Compliance Impact

I don't know

Detection Guidance

This vulnerability occurs only if the Discourse site setting `enable_category_group_moderation` is enabled. Detection involves verifying if this setting is active and if users belonging to category moderation groups can create or delete notes on reviewables outside their moderation scope.

Since the issue is related to improper scoping in the ReviewableNotesController, you can check your Discourse instance configuration and logs for unusual note creation or deletion activities by category moderators on reviewables they do not moderate.

There are no specific commands provided in the resources to detect exploitation directly. However, you can use Discourse Rails console commands to check the setting and user permissions, for example:

  • Check if `enable_category_group_moderation` is enabled: `SiteSetting.enable_category_group_moderation`
  • Audit recent note creations/deletions by category moderators on reviewables outside their categories by querying the database or logs.
Mitigation Strategies

The immediate mitigation step is to disable the `enable_category_group_moderation` site setting. This removes the attack surface by restricting review queue access to staff users only, who are not impacted by this vulnerability.

Additionally, upgrading your Discourse instance to one of the patched versions (2025.12.2, 2026.1.1, or 2026.2.0) will permanently fix the vulnerability by properly scoping the reviewable lookup.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26973. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart