CVE-2026-28219
Improper Authorization in Discourse Allows Topic Privilege Escalation
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | to 2025.12.2 (exc) |
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.1 (exc) |
| discourse | discourse | 2026.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Discourse open source discussion platform prior to versions 2025.12.2, 2026.1.1, and 2026.2.0. It is caused by an improper authorization check in the topic management logic. This flaw allows authenticated users to modify privileged attributes of their topics by manipulating specific parameters in PUT or POST requests.
As a result, a regular user can elevate a topicβs status to a site-wide notice or banner, bypassing the intended administrative restrictions.
The issue is fixed in versions 2025.12.2, 2026.1.1, and 2026.2.0, and there are no practical workarounds other than applying the security patch.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing regular authenticated users to promote their topics to site-wide notices or banners without administrative approval.
Such unauthorized promotions can lead to misinformation, abuse of platform visibility, or disruption of normal site operations.
Administrators may need to audit recent changes to site banners and global notices to detect any unauthorized modifications until the patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves authenticated users modifying privileged attributes of their topics by manipulating parameters in PUT or POST requests.
To detect exploitation attempts, administrators should audit recent changes to site banners and global notices for unauthorized promotions.
Since the issue is related to HTTP requests modifying topic attributes, monitoring logs for unusual PUT or POST requests that change topic status to site-wide notices or banners may help identify attempts.
No specific commands are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The only effective mitigation is to apply the security patches provided in Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0.
There are no practical workarounds to prevent this behavior other than applying the security patch.
Until the fix is deployed, administrators should audit recent changes to site banners and global notices to detect unauthorized promotions.