CVE-2026-27150
Received Received - Intake
Authorization Bypass in Discourse Data Explorer Causes Metadata Disclosure

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups they don't have access to, enabling metadata disclosure via bookmark reminder notifications. Versions 2025.12.2, 2026.1.1, and 2026.2.0 fix this issue and also make sure `validate_before_create` throws NotImplementedError in BaseBookmarkable if not implemented, to prevent similar issues in the future. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-05-07
AI Q&A
2026-02-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27150
EUVD
EUVD-2026-8889
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse to 2025.12.2 (exc)
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-27150 is an authorization vulnerability in the Discourse platform, specifically in the Data Explorer's QueryGroupBookmarkable feature."}, {'type': 'paragraph', 'content': 'The issue occurs because the system does not perform a required authorization check called `validate_before_create` when users create bookmarks for query groups.'}, {'type': 'paragraph', 'content': 'As a result, any logged-in user can create bookmarks for query groups they do not have permission to access.'}, {'type': 'paragraph', 'content': 'This can lead to unauthorized disclosure of metadata through bookmark reminder notifications.'}, {'type': 'paragraph', 'content': 'The vulnerability is classified under CWE-862 (Missing Authorization) and has a moderate severity rating.'}, {'type': 'paragraph', 'content': 'It has been fixed in Discourse versions 2025.12.2, 2026.1.1, and 2026.2.0 by adding the missing authorization check and enforcing that `validate_before_create` throws a NotImplementedError if not implemented.'}] [1]


How can this vulnerability impact me? :

This vulnerability allows any authenticated user to create bookmarks for query groups they are not authorized to access.

As a consequence, unauthorized users may receive bookmark reminder notifications containing metadata they should not see.

This can lead to unintended disclosure of sensitive information within your organization or community using Discourse.

There are no known workarounds, so the recommended action is to upgrade to a fixed version.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate step to mitigate this vulnerability is to upgrade Discourse to one of the fixed versions: 2025.12.2, 2026.1.1, or 2026.2.0.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart