Discourse Broken Access Control Vulnerability Allowing Unauthorized Post Ownership Transfer in Private Messages and Restricted Categories

A broken access control vulnerability has been identified in Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The issue allows non-admin moderators with the 'moderators_change_post_ownership' setting enabled to transfer ownership of posts in private messages and restricted categories they do not have access to. These moderators can then export their data to view the content, effectively exfiltrating private information. This vulnerability affects sites that grant moderators the ability to change post ownership.

Impact

The vulnerability allows non-admin moderators to bypass access controls, change post ownership in private messages and restricted categories, and access content they should not be able to view.

Remediation

Users are advised to upgrade to Discourse versions 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. The patch includes added visibility checks for topics and posts before allowing ownership transfers. As an alternative, the 'moderators_change_post_ownership' site setting can be disabled to prevent non-admin moderators from transferring post ownership.