{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28282", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.735Z", "datePublished": "2026-03-19T21:45:13.648Z", "dateUpdated": "2026-03-19T21:48:54.093Z"}, "containers": {"cna": {"title": "Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf"}, {"name": "https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add"}, {"name": "https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b"}, {"name": "https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:48:54.093Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting."}], "source": {"advisory": "GHSA-6cc8-x3rm-j5pf", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting."}], "id": "CVE-2026-28282", "lastModified": "2026-03-19T22:16:31.317", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:31.317", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-19T23:28:06.513740+00:00", "value": {"mitigation_remediation": ["Upgrade Discourse to version 2026.3.0\u2011latest.1 or later, which includes the patch.", "If immediate upgrade is not possible, disable the discourse\u2011policy plugin by setting the policy_enabled site setting to false.", "Alternatively, audit all policies for the use of add\u2011users\u2011to\u2011group and temporarily remove that attribute from any active policy until a patch can be applied."], "summary": {"action": "Patch", "impact": "Unauthorized Access to Private Groups"}, "threat_synthesis": {"affected_systems": "The affected system is the Discourse forum software (vendor discourse:discourse). Versions prior to 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2 are vulnerable. Patch versions 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2 contain the fix.", "description_and_impact": "Discourse, the open\u2011source discussion platform, has a flaw in the discourse\u2011policy plugin that permits a user who possesses policy creation permission to add themselves to any private or restricted group. Once added, the user can read group\u2011only private topics, effectively bypassing intended access controls. This creates a confidentiality breach by allowing privileged users to obtain unauthorized access to sensitive content, a weakness classified as CWE\u2011863 (Indirect Control of Resource for which the User does not Have Permission).", "risk_and_exploitability": "The vulnerability has a low CVSS score of 2.3, indicating minimal severity, and is not listed in the CISA KEV catalog. EPSS information is unavailable. Exploitation requires a user with policy creation privileges; the attacker does not need external access and can leverage existing permissions to elevate access within the platform. While the risk to external attackers is low, internal users with sufficient rights could inadvertently or maliciously abuse this flaw to compromise private discussions."}}}}, "created": "2026-03-20T08:55:30.072166+00:00", "updated": "2026-03-20T11:05:52.500148+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}