Primary

Context

Discourse TL4 User Privilege Escalation Vulnerability in Private Categories

Vulnerability

A vulnerability exists in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, allowing TL4 users to manipulate topics in private categories they do not have access to. Affected users could close, archive, and pin topics, misusing their privileges to interfere with discussions in restricted areas.

Impact

Exploitation of this vulnerability allows TL4 users to improperly manage topics in private categories, including closing, archiving, and pinning discussions, which could disrupt communication and organization within those categories.

Remediation

Users can upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0 to address this vulnerability.

Added: Feb 26, 2026, 8:35 PM

Updated: Feb 26, 2026, 8:35 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse TL4 User Privilege Escalation Vulnerability in Private Categories

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating