CVE-2026-27151
Permission Bypass in Discourse move_posts Allows Unauthorized Post Relocation
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | to 2025.12.2 (exc) |
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.1 (exc) |
| discourse | discourse | 2026.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability exists in the Discourse open source discussion platform. It occurs because the "move_posts" action only checks if a user has permission to move posts from the source topic but does not verify if the user has write permissions on the destination topic.'}, {'type': 'paragraph', 'content': 'As a result, users with Trust Level 4 (TL4) and category group moderators can move posts into topics within categories where they normally lack posting privileges, such as read-only categories or categories with group-restricted write access.'}, {'type': 'paragraph', 'content': 'This is a missing authorization issue (CWE-862) where proper permission checks are not performed on the destination topic.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can allow users who should not have posting rights in certain categories to move posts into those restricted areas.'}, {'type': 'paragraph', 'content': 'This could lead to unauthorized content being placed in read-only or restricted categories, potentially disrupting the intended access controls and content organization.'}, {'type': 'paragraph', 'content': "It may also undermine trust in the platform's permission system and could be exploited to bypass restrictions on posting."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade Discourse to one of the patched versions: 2025.12.2, 2026.1.1, or 2026.2.0.