CVE-2026-27150
Received Received - Intake
Authorization Bypass in Discourse Data Explorer Causes Metadata Disclosure

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups they don't have access to, enabling metadata disclosure via bookmark reminder notifications. Versions 2025.12.2, 2026.1.1, and 2026.2.0 fix this issue and also make sure `validate_before_create` throws NotImplementedError in BaseBookmarkable if not implemented, to prevent similar issues in the future. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27150
EUVD
EUVD-2026-8889
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse to 2025.12.2 (exc)
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27150 is an authorization vulnerability in the Discourse platform, specifically in the Data Explorer's QueryGroupBookmarkable feature."}, {'type': 'paragraph', 'content': 'The issue occurs because the system does not perform a required authorization check called `validate_before_create` when users create bookmarks for query groups.'}, {'type': 'paragraph', 'content': 'As a result, any logged-in user can create bookmarks for query groups they do not have permission to access.'}, {'type': 'paragraph', 'content': 'This can lead to unauthorized disclosure of metadata through bookmark reminder notifications.'}, {'type': 'paragraph', 'content': 'The vulnerability is classified under CWE-862 (Missing Authorization) and has a moderate severity rating.'}, {'type': 'paragraph', 'content': 'It has been fixed in Discourse versions 2025.12.2, 2026.1.1, and 2026.2.0 by adding the missing authorization check and enforcing that `validate_before_create` throws a NotImplementedError if not implemented.'}] [1]

Impact Analysis

This vulnerability allows any authenticated user to create bookmarks for query groups they are not authorized to access.

As a consequence, unauthorized users may receive bookmark reminder notifications containing metadata they should not see.

This can lead to unintended disclosure of sensitive information within your organization or community using Discourse.

There are no known workarounds, so the recommended action is to upgrade to a fixed version.

Compliance Impact

I don't know

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade Discourse to one of the fixed versions: 2025.12.2, 2026.1.1, or 2026.2.0.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27150. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart