Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the `publish_to_category` topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
History
Thu, 26 Feb 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the `publish_to_category` topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available. | |
| Title | Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category | |
| Weaknesses | CWE-863 | |
| References |
| |
| Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-02-26T21:27:38.926Z
Reserved: 2026-02-25T15:28:40.651Z
Link: CVE-2026-28227
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-02-26T22:20:49.927
Modified: 2026-02-26T22:20:49.927
Link: CVE-2026-28227
Redhat
No data.
OpenCVE Enrichment
No data.