CVE-2026-28282
LOWDiscourse vulnerable to group membership addition permission bypass via discourse-policy plugin
Title source: cnaDescription
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.
Scores
CVSS v4
2.3
EPSS
0.0001
EPSS Percentile
1.9%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (3)
discourse/discourse
>= 2026.1.0-latest, < 2026.1.2
discourse/discourse
>= 2026.2.0-latest, < 2026.2.1
discourse/discourse
= 2026.3.0-latest
Published
Mar 19, 2026
Tracked Since
Mar 20, 2026