CVE-2026-28282
Received Received - Intake
Unauthorized Group Access via Policy Plugin in Discourse

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28282
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the discourse-policy plugin of the Discourse platform versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. It allows a user who has permission to create policies to gain membership access to any private or restricted groups.

Once the user gains membership to these private or restricted groups, they can read private topics that are only accessible to those groups.

The issue is fixed in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. As a temporary workaround, administrators can review and remove the 'add-users-to-group' attribute from policies or disable the discourse-policy plugin by turning off the 'policy_enabled' site setting.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with policy creation permissions to gain access to private or restricted groups.

As a result, these unauthorized users can read private discussions and topics that should be restricted, potentially exposing sensitive or confidential information.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the discourse-policy plugin allowing unauthorized membership access to private/restricted groups via policies using the add-users-to-group attribute.

To detect if your system is vulnerable, you should check the version of your Discourse installation to see if it is prior to 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

Additionally, review all policies configured in the discourse-policy plugin for the presence of the add-users-to-group attribute.

There are no specific commands provided in the available information to detect exploitation or presence of this vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Discourse to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 where the vulnerability is patched.
  • As a workaround, review all policies for the use of the add-users-to-group attribute and temporarily remove this attribute from the policies.
  • Alternatively, disable the discourse-policy plugin by disabling the policy_enabled site setting.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28282. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart