Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.3
Discourse: Bypassing Private Message Blocking in Direct Messages
CVE-2026-27152
Summary
Before updating to version 2025.12.2 or later, hackers could add users who had blocked them to private conversations, ignoring the user's preference. This has been fixed in the latest updates. Update to the latest version to protect your site.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| discourse | discourse | <= 2025.12.2 | – |
| discourse | discourse | > 2026.1.0 , <= 2026.1.1 | – |
| discourse | discourse | 2026.2.0 | – |
Original title
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user c...
Original description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via `Chat::AddUsersToChannel` — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipient PM restrictions that are enforced during DM channel creation. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
nvd CVSS3.1
3.8
nvd CVSS4.0
1.3
Vulnerability type
CWE-284
Improper Access Control
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026