Access Control Flaw in Discourse Allows Unauthorized Management of Private Topics
CVE-2026-26979

NONE

Key Information:

Vendor

Discourse
Status
Discourse
Vendor
CVE Published:
26 February 2026

What is CVE-2026-26979?

An access control vulnerability in Discourse allows TL4 users to manipulate topics in private categories they do not have permissions for. This security issue exists in versions prior to 2025.12.2, 2026.1.1, and 2026.2.0. Users can close, archive, and pin topics without proper authorization, potentially leading to unauthorized information exposure. The issue has been addressed in the specified versions; no workarounds are available. For detailed guidance and updates, refer to the official advisory.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

discourse < 2025.12.2 < 2025.12.2

discourse >= 2026.1.0-latest, < 2026.1.1 < 2026.1.0-latest, 2026.1.1

discourse >= 2026.2.0-latest, < 2026.2.0 < 2026.2.0-latest, 2026.2.0

References

https://github.com/discourse/discourse/security/advisorie...
x_refsource_CONFIRM

CVSS V4

Score:
Severity:
NONE
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.