CVE-2026-27162
Received Received - Intake
Unauthorized Access in Discourse Posts_Nearby Due to Inadequate Filtering

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use `Post.secured(guardian)` to properly filter post types based on user permissions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27162
EUVD
EUVD-2026-8892
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse to 2025.12.2 (exc)
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27162 is a vulnerability in the Discourse open source discussion platform where the function `posts_nearby` improperly handled access control. Although it checked topic access permissions, it returned all posts regardless of their type, including "whispers"β€”private messages meant to be visible only to authorized whisperers.'}, {'type': 'paragraph', 'content': 'This flaw allowed unauthorized users to see sensitive whisper content in excerpts, exposing information that should have been restricted.'}, {'type': 'paragraph', 'content': 'The issue was fixed by using `Post.secured(guardian)` to properly filter posts based on user permissions, ensuring whispers are only accessible to authorized users.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized exposure of sensitive information, specifically private "whisper" messages within the Discourse platform.'}, {'type': 'paragraph', 'content': 'If exploited, users who should not have access to certain private messages could view them, potentially leading to privacy breaches and loss of trust.'}, {'type': 'paragraph', 'content': 'The severity is moderate, but the impact depends on the sensitivity of the whispered content and the context in which Discourse is used.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade your Discourse installation to one of the patched versions: 2025.12.2, 2026.1.1, or 2026.2.0.

No known workarounds are available, so applying the update is the only effective mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27162. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart