Discourse: Unprivileged users can edit restricted tags

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

3.5

Discourse: Unprivileged users can edit restricted tags

CVE-2026-33426

Summary

A security issue affects Discourse discussion platforms before versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. Unprivileged users with tag-editing permissions could edit tags that they shouldn't have access to, potentially causing confusion or misuse. Update to the latest patched version to fix this issue.

Original title

Original description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users with tag-editing permissions could edit and create synonyms for tags hidden in restricted tag groups, even if they lacked visibility into those tags. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

nvd CVSS3.1 3.5

Vulnerability type

CWE-862 Missing Authorization

https://github.com/discourse/discourse/security/advisories/GHSA-2289-4m46-2hxh

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026