Discourse: Unauthorized Users Can Access Private Posts

Summary

A security issue in the Discourse discussion platform allowed any authenticated user to access private posts or enumerate post IDs with attached policies. This was fixed in versions 2025.12.2, 2026.1.1, and 2026.2.0. To address this issue, upgrade to one of these versions or disable the affected plugin.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
discourse	discourse	<= 2025.12.0	–
discourse	discourse	> 2026.1.0 , <= 2026.1.1	–
discourse	discourse	2026.2.0	–

Original title

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they...

Original description

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The `PolicyController` loads posts by ID without verifying the current user's access, enabling policy group members to accept/unaccept policies on posts in private categories or PMs they cannot see and any authenticated user to enumerate which post IDs have policies attached via differentiated error responses (information disclosure). The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by adding a `guardian.can_see?(@post)` check in the `set_post` before_action, ensuring post visibility is verified before any policy action is processed. As a workaround, disabling the discourse-policy plugin (`policy_enabled = false`) eliminates the vulnerability. There is no other workaround without upgrading.

nvd CVSS3.1 5.4

Vulnerability type

CWE-862 Missing Authorization

https://github.com/discourse/discourse/security/advisories/GHSA-jr4h-w6p5-w55r Vendor Advisory