CVE-2026-27151
Received Received - Intake
Permission Bypass in Discourse move_posts Allows Unauthorized Post Relocation

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category group moderators to move posts into topics in categories where they lack posting privileges (e.g., read-only categories or categories with group-restricted write access). Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27151
EUVD
EUVD-2026-8890
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse to 2025.12.2 (exc)
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability exists in the Discourse open source discussion platform. It occurs because the "move_posts" action only checks if a user has permission to move posts from the source topic but does not verify if the user has write permissions on the destination topic.'}, {'type': 'paragraph', 'content': 'As a result, users with Trust Level 4 (TL4) and category group moderators can move posts into topics within categories where they normally lack posting privileges, such as read-only categories or categories with group-restricted write access.'}, {'type': 'paragraph', 'content': 'This is a missing authorization issue (CWE-862) where proper permission checks are not performed on the destination topic.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can allow users who should not have posting rights in certain categories to move posts into those restricted areas.'}, {'type': 'paragraph', 'content': 'This could lead to unauthorized content being placed in read-only or restricted categories, potentially disrupting the intended access controls and content organization.'}, {'type': 'paragraph', 'content': "It may also undermine trust in the platform's permission system and could be exploited to bypass restrictions on posting."}] [1]

Compliance Impact

I don't know

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade Discourse to one of the patched versions: 2025.12.2, 2026.1.1, or 2026.2.0.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27151. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart