CVE-2026-30889
Received Received - Intake
Insufficient Authorization in Discourse Allows Unauthorized Metadata Access

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a moderator could exploit insufficient authorization checks to access metadata of posts they should not have permission to view. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30889
EUVD
EUVD-2026-13490
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.2 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.1 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30889 is a moderate severity vulnerability in the Discourse open-source discussion platform, specifically in the discourse-user-notes component.

The issue is caused by insufficient authorization checks that allow a moderator to access metadata of posts they should not have permission to view.

This means that moderators could see information about posts that are supposed to be restricted from their view.

Impact Analysis

This vulnerability can lead to unauthorized exposure of post metadata to moderators who should not have access.

Such unauthorized access could result in privacy and security concerns, as sensitive information about posts may be revealed.

To mitigate this risk, it is recommended to upgrade Discourse to versions 2026.1.2, 2026.2.1, or 2026.3.0-latest.1 where the issue has been patched.

Compliance Impact

I don't know

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Discourse to one of the patched versions: 2026.1.2, 2026.2.1, or 2026.3.0-latest.1.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart