Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.9
Discourse: Unsecured posts returned in some cases
CVE-2026-27162
Summary
Some sensitive posts may be visible to users who shouldn't have access to them. This affects older versions of Discourse. To fix, update to version 2025.12.2, 2026.1.1, or 2026.2.0, or patch your current version. No workaround is available.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| discourse | discourse | <= 2025.12.2 | – |
| discourse | discourse | > 2026.1.0 , <= 2026.1.1 | – |
| discourse | discourse | 2026.2.0 | – |
Original title
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but then returning all posts regardless of type, inclu...
Original description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `posts_nearby` was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use `Post.secured(guardian)` to properly filter post types based on user permissions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
nvd CVSS3.1
4.9
nvd CVSS4.0
4.9
Vulnerability type
CWE-200
Information Exposure
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026