CVE-2026-28219
Received Received - Intake
Improper Authorization in Discourse Allows Topic Privilege Escalation

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. By manipulating specific parameters in a PUT or POST request, a regular user can elevate a topic’s status to a site-wide notice or banner, bypassing intended administrative restrictions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. There are no practical workarounds to prevent this behavior other than applying the security patch. Administrators concerned about unauthorized promotions should audit recent changes to site banners and global notices until the fix is deployed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28219
EUVD
EUVD-2026-8900
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse to 2025.12.2 (exc)
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Discourse open source discussion platform prior to versions 2025.12.2, 2026.1.1, and 2026.2.0. It is caused by an improper authorization check in the topic management logic. This flaw allows authenticated users to modify privileged attributes of their topics by manipulating specific parameters in PUT or POST requests.

As a result, a regular user can elevate a topic’s status to a site-wide notice or banner, bypassing the intended administrative restrictions.

The issue is fixed in versions 2025.12.2, 2026.1.1, and 2026.2.0, and there are no practical workarounds other than applying the security patch.

Impact Analysis

This vulnerability can impact you by allowing regular authenticated users to promote their topics to site-wide notices or banners without administrative approval.

Such unauthorized promotions can lead to misinformation, abuse of platform visibility, or disruption of normal site operations.

Administrators may need to audit recent changes to site banners and global notices to detect any unauthorized modifications until the patch is applied.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves authenticated users modifying privileged attributes of their topics by manipulating parameters in PUT or POST requests.

To detect exploitation attempts, administrators should audit recent changes to site banners and global notices for unauthorized promotions.

Since the issue is related to HTTP requests modifying topic attributes, monitoring logs for unusual PUT or POST requests that change topic status to site-wide notices or banners may help identify attempts.

No specific commands are provided in the available information.

Mitigation Strategies

The only effective mitigation is to apply the security patches provided in Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0.

There are no practical workarounds to prevent this behavior other than applying the security patch.

Until the fix is deployed, administrators should audit recent changes to site banners and global notices to detect unauthorized promotions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart