Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.3
Discourse Discussion Platform: Unauthorized Bookmark Creation
CVE-2026-27150
Summary
Discourse, a popular discussion platform, had a bug that let users create bookmarks for topics they shouldn't have access to. This meant they could see sensitive information, like reminders and notifications, about those topics. Make sure you update to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| discourse | discourse | <= 2025.12.2 | – |
| discourse | discourse | > 2026.1.0 , <= 2026.1.1 | – |
| discourse | discourse | 2026.2.0 | – |
Original title
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allo...
Original description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups they don't have access to, enabling metadata disclosure via bookmark reminder notifications. Versions 2025.12.2, 2026.1.1, and 2026.2.0 fix this issue and also make sure `validate_before_create` throws NotImplementedError in BaseBookmarkable if not implemented, to prevent similar issues in the future. No known workarounds are available.
nvd CVSS3.1
3.8
nvd CVSS4.0
1.3
Vulnerability type
CWE-862
Missing Authorization
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026