CVE-2026-27454
Authorization Bypass in Discourse Post Revision Access
Publication date: 2026-03-19
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.2 (exc) |
| discourse | discourse | From 2026.2.0 (inc) to 2026.2.1 (exc) |
| discourse | discourse | 2026.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27454 is an authorization bypass vulnerability in the Discourse forum software affecting the endpoint `/posts/:id.json?version=X` used to access post revisions.
Before the fix, the `display_post` method directly called `post.revert_to(version)` without checking if the requested post revision was hidden or if the user had permission to view the edit history.
This flaw allowed any user to access hidden post revisionsβintentionally concealed by staffβsimply by enumerating version numbers, bypassing authorization checks.
The fix involves modifying the method to first retrieve the corresponding `PostRevision` object and then call `guardian.ensure_can_see!` to enforce proper permission checks before reverting to that revision.
This change aligns the authorization logic with the existing `/posts/:id/revisions/:revision` endpoint, ensuring only authorized users can view hidden or restricted revisions.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to access hidden or restricted post revisions that were meant to be concealed by staff.
Any user, including anonymous or regular users, could enumerate version numbers and read sensitive or confidential edit histories without proper permissions.
This unauthorized disclosure compromises the confidentiality of post revision history, potentially exposing sensitive information or internal discussions.
The vulnerability does not affect data integrity or availability, but it does allow information disclosure to unauthorized parties.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access post revisions via the Discourse API endpoint `/posts/:id.json?version=X` without proper authorization. If hidden revisions, which should be concealed by staff, are accessible by enumerating version numbers, the system is vulnerable.
A practical detection method is to use HTTP requests to query the endpoint with different version numbers and observe if hidden revisions are returned without authorization.
- Use curl or similar tools to send requests like: `curl -i https://your-discourse-site.com/posts/POST_ID.json?version=VERSION_NUMBER`
- Enumerate version numbers to check if hidden revisions are accessible.
- If hidden revisions are returned without proper permission errors (e.g., 403 Forbidden), the vulnerability exists.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Discourse to a patched version where this vulnerability is fixed.
- Upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 or later.
These versions include a fix that enforces proper authorization checks by calling `guardian.ensure_can_see!` on the `PostRevision` object before allowing access to post revisions.
No known workarounds are available, so applying the update is critical to prevent unauthorized access to hidden post revisions.