Discourse Policy Plugin Access Control Vulnerability in Private Posts and Categories

A vulnerability in the Discourse `discourse-policy` plugin allows authenticated users to interact with policies on posts they cannot view. This issue affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0. The vulnerability arises because the `PolicyController` retrieves posts by ID without checking the user's access rights. As a result, policy group members can accept or reject policies on posts in private categories or direct messages they cannot see. Additionally, any authenticated user can use differentiated error responses to identify post IDs with attached policies, leading to unauthorized information disclosure.

Impact

Exploitation of this vulnerability allows for unauthorized interaction with post policies in private categories or direct messages, as well as unauthorized enumeration of post IDs with attached policies, according to the Discourse security advisory.

Remediation

Users can upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0 to address this vulnerability. Alternatively, the `discourse-policy` plugin can be disabled, although this requires not using the plugin's features.