Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.3
Discourse: Moderators can export user chat messages without permission
CVE-2026-27153
Summary
Prior to a software update, moderators on the Discourse platform could potentially access sensitive user messages without proper authorization. This has been fixed in newer versions of the software. If you're using an affected version, update to the patched version as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| discourse | discourse | <= 2025.12.2 | – |
| discourse | discourse | > 2026.1.0 , <= 2026.1.1 | – |
| discourse | discourse | 2026.2.0 | – |
Original title
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permi...
Original description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in `can_export_entity?`. The method allowed moderators to export any entity not explicitly blocked instead of restricting to an explicit allowlist. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
nvd CVSS3.1
2.7
nvd CVSS4.0
1.3
Vulnerability type
CWE-863
Incorrect Authorization
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026