Discourse Insecure Direct Object Reference Vulnerability in ReviewableNotesController
Vulnerability
A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0. The issue arises in the ReviewableNotesController when the 'enable_category_group_moderation' setting is active. Under these conditions, users in a category moderation group can create or delete notes on any reviewable, regardless of category moderation rights. This vulnerability exists because the reviewable lookup was unscoped, allowing unauthorized access to reviewables outside the user's moderation group.
Impact
The vulnerability allows users in a category moderation group to manipulate notes on any reviewable in the system, potentially leading to unauthorized modifications or deletions of reviewable notes.
Remediation
Users can upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0 to address this vulnerability. Alternatively, the 'enable_category_group_moderation' site setting can be disabled, which will restrict access to the review queue to staff users only.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.