Discourse Vulnerability Lets Mods Access Private Topics
CVE Notify is flagging a security flaw in the popular open-source discussion platform, Discourse. The vulnerability, tracked as CVE-2026-32615, allowed category group moderators to execute privileged actions on topics within private categories, even if they lacked the necessary read permissions. This means moderators could potentially interact with or modify content they weren’t supposed to see.
The affected versions range across several release lines: 2026.1.0 up to (but not including) 2026.1.3, 2026.2.0 up to (but not including) 2026.2.2, and 2026.3.0 up to (but not including) 2026.3.0. Essentially, if you’re running an unpatched instance within these ranges, you’re exposed.
The good news? Discourse has already rolled out patches. Versions 2026.1.3, 2026.2.2, and 2026.3.0 address this specific issue. The fix is available, and prompt action is recommended.
What This Means For You
- Ensure your Discourse instance is updated to at least version 2026.1.3, 2026.2.2, or 2026.3.0 immediately to patch CVE-2026-32615 and prevent unauthorized access to private category content by moderators.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-32615 | Privilege Escalation | Discourse versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0. Category group moderators could perform privileged actions on topics inside private categories they did not have read access to. |