CVE-2026-27491
Received Received - Intake
Type Coercion Allows Unauthorized Warnings in Discourse API

Publication date: 2026-03-19

Last updated on: 2026-03-25

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the attacker to be a logged-in user and to send a specifically crafted request. No data exposure or privilege escalation beyond the ability to create unauthorized user warnings was possible. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27491
EUVD
EUVD-2026-13190
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27491 is a type coercion vulnerability in the Discourse platform\'s post actions API endpoint. The issue occurs because the parameter indicating a warning action (`is_warning`) was not consistently cast to a boolean type. When requests are sent as JSON, the `is_warning` parameter arrives as a Ruby boolean `true` instead of the string "true". The authorization check compared this parameter strictly as a string, causing it to fail and incorrectly allow non-staff logged-in users to create warning posts, which are intended only for staff moderators.'}, {'type': 'paragraph', 'content': 'This flaw allowed non-staff users to bypass restrictions and issue official warning messages to other users by sending specially crafted requests. The vulnerability does not expose data or escalate privileges beyond unauthorized creation of user warnings.'}, {'type': 'paragraph', 'content': 'The issue was fixed by explicitly casting the `is_warning` parameter to a boolean in the controller and simplifying the authorization check to rely on boolean truthiness rather than string comparison, ensuring consistent and correct permission enforcement.'}] [1, 2, 3, 4]

Impact Analysis

This vulnerability allows any logged-in non-staff user to create unauthorized warning messages against other users on a Discourse platform. Since warnings are a staff-only moderation feature, this could lead to misuse or abuse of the warning system.

However, the impact is limited as it does not allow data exposure, privilege escalation beyond warning creation, or affect system integrity or availability.

The unauthorized warnings could potentially cause confusion or mistrust among users if abused, but no direct compromise of sensitive data or system control is possible through this vulnerability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-27491 vulnerability, you should upgrade your Discourse installation to one of the patched versions: 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

No known workarounds are available, so applying the official patch is the only effective immediate step.

The patch fixes the issue by ensuring the `is_warning` parameter is properly cast to a boolean in the `PostActionsController#create` method, preventing non-staff users from issuing unauthorized warnings.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27491. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart