CVE-2026-27491
Type Coercion Allows Unauthorized Warnings in Discourse API
Publication date: 2026-03-19
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.2 (exc) |
| discourse | discourse | From 2026.2.0 (inc) to 2026.2.1 (exc) |
| discourse | discourse | 2026.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27491 is a type coercion vulnerability in the Discourse platform\'s post actions API endpoint. The issue occurs because the parameter indicating a warning action (`is_warning`) was not consistently cast to a boolean type. When requests are sent as JSON, the `is_warning` parameter arrives as a Ruby boolean `true` instead of the string "true". The authorization check compared this parameter strictly as a string, causing it to fail and incorrectly allow non-staff logged-in users to create warning posts, which are intended only for staff moderators.'}, {'type': 'paragraph', 'content': 'This flaw allowed non-staff users to bypass restrictions and issue official warning messages to other users by sending specially crafted requests. The vulnerability does not expose data or escalate privileges beyond unauthorized creation of user warnings.'}, {'type': 'paragraph', 'content': 'The issue was fixed by explicitly casting the `is_warning` parameter to a boolean in the controller and simplifying the authorization check to rely on boolean truthiness rather than string comparison, ensuring consistent and correct permission enforcement.'}] [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability allows any logged-in non-staff user to create unauthorized warning messages against other users on a Discourse platform. Since warnings are a staff-only moderation feature, this could lead to misuse or abuse of the warning system.
However, the impact is limited as it does not allow data exposure, privilege escalation beyond warning creation, or affect system integrity or availability.
The unauthorized warnings could potentially cause confusion or mistrust among users if abused, but no direct compromise of sensitive data or system control is possible through this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-27491 vulnerability, you should upgrade your Discourse installation to one of the patched versions: 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.
No known workarounds are available, so applying the official patch is the only effective immediate step.
The patch fixes the issue by ensuring the `is_warning` parameter is properly cast to a boolean in the `PostActionsController#create` method, preventing non-staff users from issuing unauthorized warnings.