Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Discourse Data Explorer plugin allows unauthorized SQL queries
CVE-2026-28218
Summary
If you use Discourse, a malicious user with an account could access sensitive data. This is because a bug in the Data Explorer plugin lets users run SQL queries without permission. To fix this, update to version 2025.12.2 or later, or limit permissions for specific queries or disable the plugin altogether.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| discourse | discourse | <= 2025.12.2 | – |
| discourse | discourse | > 2026.1.0 , <= 2026.1.1 | – |
| discourse | discourse | 2026.2.0 | – |
Original title
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL q...
Original description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. As a workaround, either explicitly set group permissions on each Data Explorer query that doesn't have permissions, or disable discourse-data-explorer plugin.
nvd CVSS3.1
5.4
nvd CVSS4.0
5.3
Vulnerability type
CWE-284
Improper Access Control
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026