CVE-2026-27162
Unauthorized Access in Discourse Posts_Nearby Due to Inadequate Filtering
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | to 2025.12.2 (exc) |
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.1 (exc) |
| discourse | discourse | 2026.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27162 is a vulnerability in the Discourse open source discussion platform where the function `posts_nearby` improperly handled access control. Although it checked topic access permissions, it returned all posts regardless of their type, including "whispers"βprivate messages meant to be visible only to authorized whisperers.'}, {'type': 'paragraph', 'content': 'This flaw allowed unauthorized users to see sensitive whisper content in excerpts, exposing information that should have been restricted.'}, {'type': 'paragraph', 'content': 'The issue was fixed by using `Post.secured(guardian)` to properly filter posts based on user permissions, ensuring whispers are only accessible to authorized users.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized exposure of sensitive information, specifically private "whisper" messages within the Discourse platform.'}, {'type': 'paragraph', 'content': 'If exploited, users who should not have access to certain private messages could view them, potentially leading to privacy breaches and loss of trust.'}, {'type': 'paragraph', 'content': 'The severity is moderate, but the impact depends on the sensitivity of the whispered content and the context in which Discourse is used.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade your Discourse installation to one of the patched versions: 2025.12.2, 2026.1.1, or 2026.2.0.
No known workarounds are available, so applying the update is the only effective mitigation.