Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.3
Discourse: Authenticated users can promote topics to site-wide banners
CVE-2026-28219
Summary
Some users can elevate a topic to a site-wide announcement without permission. Affected Discourse versions before 2025.12.2, 2026.1.1, and 2026.2.0 can be exploited. To fix, update to the latest version or patch. If you can't update yet, review recent site announcements for unauthorized changes.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| discourse | discourse | <= 2025.12.2 | – |
| discourse | discourse | > 2026.1.0 , <= 2026.1.1 | – |
| discourse | discourse | 2026.2.0 | – |
Original title
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to mod...
Original description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. By manipulating specific parameters in a PUT or POST request, a regular user can elevate a topic’s status to a site-wide notice or banner, bypassing intended administrative restrictions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. There are no practical workarounds to prevent this behavior other than applying the security patch. Administrators concerned about unauthorized promotions should audit recent changes to site banners and global notices until the fix is deployed.
nvd CVSS3.1
4.3
nvd CVSS4.0
1.3
Vulnerability type
CWE-915
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026