CVE-2026-28218

Received Received - Intake

Fail-Open Access Control in Discourse Data Explorer Enables SQL Injection

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. As a workaround, either explicitly set group permissions on each Data Explorer query that doesn't have permissions, or disable discourse-data-explorer plugin.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-26

Last Modified

2026-03-02

Generated

2026-06-16

AI Q&A

2026-02-27

EPSS Evaluated

2026-06-15

NVD

CVE-2026-28218

EUVD

EUVD-2026-8899

Affected Vendors & Products

Vendor	Product	Version / Range
discourse	discourse	to 2025.12.2 (exc)
discourse	discourse	From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse	discourse	2026.2.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-284	The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the Discourse open source discussion platform's Data Explorer plugin. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, there is a fail-open access control issue that allows any authenticated user to execute SQL queries that do not have explicit group assignments, including built-in system queries.

This means that users with basic authentication can run potentially sensitive or unrestricted SQL queries because the plugin does not properly restrict access when group permissions are not explicitly set.

The issue is fixed in versions 2025.12.2, 2026.1.1, and 2026.2.0. Workarounds include explicitly setting group permissions on each Data Explorer query without permissions or disabling the discourse-data-explorer plugin.

Impact Analysis

This vulnerability can impact you by allowing any authenticated user to execute SQL queries without proper access restrictions. This could lead to unauthorized access to sensitive data or system information through the Data Explorer plugin.

Because users can run built-in system queries or other queries without explicit group permissions, it may expose data that should otherwise be restricted, potentially leading to data leakage or unauthorized data manipulation.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Discourse to versions 2025.12.2, 2026.1.1, or 2026.2.0 where the issue is patched.

Alternatively, as a workaround, you can either explicitly set group permissions on each Data Explorer query that lacks permissions or disable the discourse-data-explorer plugin entirely.

Hi! I’m here to help you understand CVE-2026-28218. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-28218

Fail-Open Access Control in Discourse Data Explorer Enables SQL Injection

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart