Authorization Bypass Vulnerability in Discourse Discussion Platform
CVE-2026-27481

6.3MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-27481?

Discourse, an open-source discussion platform, has a vulnerability that allows unauthorized or unauthenticated users to access hidden staff-only tags and their associated data. This affects any Discourse instance using tagging features with staff-only tag groups enabled. To mitigate this issue, users should upgrade to the patched versions 2026.1.3, 2026.2.2, or 2026.3.0.

Affected Version(s)

discourse >= 2026.1.0-latest, < 2026.1.3 < 2026.1.0-latest, 2026.1.3

discourse >= 2026.2.0-latest, < 2026.2.2 < 2026.2.0-latest, 2026.2.2

discourse >= 2026.3.0-latest, < 2026.3.0 < 2026.3.0-latest, 2026.3.0

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Feb 19, 2026

CVE-2026-27481 Data

JSON