CVE-2026-27481
Authorization Bypass in Discourse Tags Exposes Staff-Only Data
Publication date: 2026-04-03
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | 2026.3.0 |
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.2 (inc) |
| discourse | discourse | From 2026.2.0 (inc) to 2026.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Discourse open-source discussion platform in certain versions before they were patched. It is an authorization bypass issue that allows unauthenticated or unauthorized users to view hidden tags that are meant only for staff, along with the data associated with those tags.
Specifically, any Discourse instance that has tagging enabled and staff-only tag groups configured is impacted by this vulnerability.
How can this vulnerability impact me? :
The impact of this vulnerability is that unauthorized or unauthenticated users can access information that is intended to be restricted to staff members only. This could lead to exposure of sensitive internal tags and data that may reveal confidential or operational details about the platform or its users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your Discourse installation to one of the patched versions: 2026.1.3, 2026.2.2, or 2026.3.0.
Ensure that tagging is enabled and staff-only tag groups are properly configured after the update to prevent unauthorized access to hidden tags.