Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.3
Discourse: Unprivileged users can move posts into restricted categories
CVE-2026-27151
Summary
Discourse users who shouldn't have permission to post in certain categories can still move posts into those categories. This is fixed in versions 2025.12.2, 2026.1.1, and 2026.2.0. Update to one of these versions to ensure proper access controls.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| discourse | discourse | <= 2025.12.2 | – |
| discourse | discourse | > 2026.1.0 , <= 2026.1.1 | – |
| discourse | discourse | 2026.2.0 | – |
Original title
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated ...
Original description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category group moderators to move posts into topics in categories where they lack posting privileges (e.g., read-only categories or categories with group-restricted write access). Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
nvd CVSS3.1
2.7
nvd CVSS4.0
1.3
Vulnerability type
CWE-862
Missing Authorization
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026