CVE-2026-27454

MEDIUM

Discourse has check revision visibility on posts endpoint

Title source: cna
STIX 2.1

Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, requesting /posts/:id.json?version=X bypassed authorization checks on post revisions. The display_post method called post.revert_to directly without verifying whether the revision was hidden or if the user had permission to view edit history. This meant hidden revisions (intentionally concealed by staff) could be read by any user by simply enumerating version numbers. Starting in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, Discourse looks up the PostRevision and call guardian.ensure_can_see! before reverting, consistent with how the /posts/:id/revisions/:revision endpoint already authorizes access. No known workarounds are available.

References (4)

Scores

CVSS v3 5.3
EPSS 0.0004
EPSS Percentile 12.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (5)
discourse/discourse 2026.3.0
discourse/discourse 2026.1.0 - 2026.1.2
discourse/discourse >= 2026.1.0-latest, < 2026.1.2
discourse/discourse >= 2026.2.0-latest, < 2026.2.1
discourse/discourse = 2026.3.0-latest
Published Mar 19, 2026
Tracked Since Mar 20, 2026