CVE-2026-27149
Received Received - Intake
SQL Injection in Discourse PM Tag Filtering Exposes Metadata

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, SQL injection in PM tag filtering (`list_private_messages_tag`) allows bypassing tag filter conditions, potentially disclosing unauthorized private message metadata. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27149
EUVD
EUVD-2026-8888
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse to 2025.12.2 (exc)
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27149 is a high-severity SQL injection vulnerability in the Discourse software, specifically in the private message tag filtering functionality called list_private_messages_tag.

The vulnerability occurs because the software builds SQL commands using input that comes from outside sources without properly escaping or neutralizing special SQL characters. This flaw allows attackers to bypass the tag filter conditions.

As a result, attackers can potentially access private message metadata that they are not authorized to see.

The issue affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, which contain patches to fix this vulnerability.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to bypass tag filtering in private messages and gain unauthorized access to private message metadata.'}, {'type': 'paragraph', 'content': 'Such unauthorized disclosure can lead to privacy breaches, exposing sensitive information about private communications.'}, {'type': 'paragraph', 'content': "Since the vulnerability involves SQL injection, it may also be leveraged to perform further attacks on the database depending on the attacker's skill and the system's configuration."}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade Discourse to one of the patched versions: 2025.12.2, 2026.1.1, or 2026.2.0.

No known workarounds are available, so applying the update is essential to prevent exploitation of the SQL injection vulnerability in the private message tag filtering functionality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27149. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart