CVE-2026-28282
Unauthorized Group Access via Policy Plugin in Discourse
Publication date: 2026-03-19
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.2 (exc) |
| discourse | discourse | From 2026.2.0 (inc) to 2026.2.1 (exc) |
| discourse | discourse | 2026.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the discourse-policy plugin of the Discourse platform versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. It allows a user who has permission to create policies to gain membership access to any private or restricted groups.
Once the user gains membership to these private or restricted groups, they can read private topics that are only accessible to those groups.
The issue is fixed in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. As a temporary workaround, administrators can review and remove the 'add-users-to-group' attribute from policies or disable the discourse-policy plugin by turning off the 'policy_enabled' site setting.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users with policy creation permissions to gain access to private or restricted groups.
As a result, these unauthorized users can read private discussions and topics that should be restricted, potentially exposing sensitive or confidential information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the discourse-policy plugin allowing unauthorized membership access to private/restricted groups via policies using the add-users-to-group attribute.
To detect if your system is vulnerable, you should check the version of your Discourse installation to see if it is prior to 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.
Additionally, review all policies configured in the discourse-policy plugin for the presence of the add-users-to-group attribute.
There are no specific commands provided in the available information to detect exploitation or presence of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade Discourse to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 where the vulnerability is patched.
- As a workaround, review all policies for the use of the add-users-to-group attribute and temporarily remove this attribute from the policies.
- Alternatively, disable the discourse-policy plugin by disabling the policy_enabled site setting.