CVE-2026-27162

Summary

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, posts_nearby was checking topic access but then returning all posts regardless of type, including whispers that should only be visible to whisperers. Use Post.secured(guardian) to properly filter post types based on user permissions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

Affected Software

VendorProductVersion RangeStatus
discoursediscourse< 2025.12.2affected
discoursediscourse>= 2026.1.0-latest, < 2026.1.1affected
discoursediscourse>= 2026.2.0-latest, < 2026.2.0affected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References