CVE-2026-26973
IDOR in Discourse ReviewableNotesController Allows Unauthorized Note Modification
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.1 (exc) |
| discourse | discourse | 2026.2.0 |
| discourse | discourse | to 2025.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26973 is an Insecure Direct Object Reference (IDOR) vulnerability in the Discourse platform, specifically in the ReviewableNotesController.
This vulnerability occurs when the site setting `enable_category_group_moderation` is enabled. Under this condition, a user who belongs to a category moderation group can create or delete their own notes on any reviewable item in the system, including those in categories they do not moderate.
The root cause is that the controller uses an unscoped `Reviewable.find` method, and the `ensure_can_see` guard only checks if the user can access the review queue in general, not whether they have permission to access the specific reviewable item.
Staff users such as admins and moderators are not impacted because they already have access to all reviewables.
The vulnerability is patched by scoping the reviewable lookup through `Reviewable.viewable_by(current_user)`, ensuring users can only access reviewables they are authorized to see.
As a workaround, disabling the `enable_category_group_moderation` site setting removes the attack surface by restricting review queue access to staff users only.
How can this vulnerability impact me? :
This vulnerability allows users in category moderation groups to create or delete their own notes on any reviewable item in the system, including those in categories they do not moderate.
This means unauthorized users can modify notes on reviewables they should not have access to, leading to unauthorized modification of data.
The impact is limited to integrity, as confidentiality and availability are not affected.
The vulnerability has a moderate severity with a CVSS v3.1 base score of 4.3, indicating it is relatively easy to exploit remotely with low privileges required and no user interaction needed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs only if the Discourse site setting `enable_category_group_moderation` is enabled. Detection involves verifying if this setting is active and if users belonging to category moderation groups can create or delete notes on reviewables outside their moderation scope.
Since the issue is related to improper scoping in the ReviewableNotesController, you can check your Discourse instance configuration and logs for unusual note creation or deletion activities by category moderators on reviewables they do not moderate.
There are no specific commands provided in the resources to detect exploitation directly. However, you can use Discourse Rails console commands to check the setting and user permissions, for example:
- Check if `enable_category_group_moderation` is enabled: `SiteSetting.enable_category_group_moderation`
- Audit recent note creations/deletions by category moderators on reviewables outside their categories by querying the database or logs.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to disable the `enable_category_group_moderation` site setting. This removes the attack surface by restricting review queue access to staff users only, who are not impacted by this vulnerability.
Additionally, upgrading your Discourse instance to one of the patched versions (2025.12.2, 2026.1.1, or 2026.2.0) will permanently fix the vulnerability by properly scoping the reviewable lookup.