CVE-2026-27454
Received Received - Intake
Authorization Bypass in Discourse Post Revision Access

Publication date: 2026-03-19

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, requesting /posts/:id.json?version=X bypassed authorization checks on post revisions. The display_post method called post.revert_to directly without verifying whether the revision was hidden or if the user had permission to view edit history. This meant hidden revisions (intentionally concealed by staff) could be read by any user by simply enumerating version numbers. Starting in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, Discourse looks up the PostRevision and call guardian.ensure_can_see! before reverting, consistent with how the /posts/:id/revisions/:revision endpoint already authorizes access. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27454
EUVD
EUVD-2026-13188
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27454 is an authorization bypass vulnerability in the Discourse forum software affecting the endpoint `/posts/:id.json?version=X` used to access post revisions.

Before the fix, the `display_post` method directly called `post.revert_to(version)` without checking if the requested post revision was hidden or if the user had permission to view the edit history.

This flaw allowed any user to access hidden post revisionsβ€”intentionally concealed by staffβ€”simply by enumerating version numbers, bypassing authorization checks.

The fix involves modifying the method to first retrieve the corresponding `PostRevision` object and then call `guardian.ensure_can_see!` to enforce proper permission checks before reverting to that revision.

This change aligns the authorization logic with the existing `/posts/:id/revisions/:revision` endpoint, ensuring only authorized users can view hidden or restricted revisions.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to access hidden or restricted post revisions that were meant to be concealed by staff.

Any user, including anonymous or regular users, could enumerate version numbers and read sensitive or confidential edit histories without proper permissions.

This unauthorized disclosure compromises the confidentiality of post revision history, potentially exposing sensitive information or internal discussions.

The vulnerability does not affect data integrity or availability, but it does allow information disclosure to unauthorized parties.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to access post revisions via the Discourse API endpoint `/posts/:id.json?version=X` without proper authorization. If hidden revisions, which should be concealed by staff, are accessible by enumerating version numbers, the system is vulnerable.

A practical detection method is to use HTTP requests to query the endpoint with different version numbers and observe if hidden revisions are returned without authorization.

  • Use curl or similar tools to send requests like: `curl -i https://your-discourse-site.com/posts/POST_ID.json?version=VERSION_NUMBER`
  • Enumerate version numbers to check if hidden revisions are accessible.
  • If hidden revisions are returned without proper permission errors (e.g., 403 Forbidden), the vulnerability exists.
Mitigation Strategies

The immediate mitigation step is to upgrade Discourse to a patched version where this vulnerability is fixed.

  • Upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 or later.

These versions include a fix that enforces proper authorization checks by calling `guardian.ensure_can_see!` on the `PostRevision` object before allowing access to post revisions.

No known workarounds are available, so applying the update is critical to prevent unauthorized access to hidden post revisions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27454. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart