Discourse: Users with elevated permissions can see deleted posts

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.9

Discourse: Users with elevated permissions can see deleted posts

CVE-2026-33428

Summary

Non-staff users with extra privileges can view posts that have been deleted by others. This affects users of certain Discourse versions and can be fixed by updating to a patched version.

Original title

Original description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

nvd CVSS4.0 4.9

Vulnerability type

CWE-863 Incorrect Authorization

https://github.com/discourse/discourse/security/advisories/GHSA-frcw-p4mc-x6mp

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026