Primary

Context

Discourse Destination Topic Write Permission Vulnerability in Post Moving Action

Vulnerability

Patched

A vulnerability exists in Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, allowing TL4 users and category group moderators to move posts into topics in categories where they have no posting privileges. This issue arises because the 'move_posts' action only verifies the ability to move posts from the source topic, without checking write permissions for the destination topic. As a result, users can inadvertently place posts in read-only categories or those with group-restricted writing access.

Impact

Exploiting this vulnerability could lead to unauthorized post movements into categories where the user lacks posting rights, potentially disrupting category management and user discussions.

Remediation

Users are advised to upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0.

Added: Feb 26, 2026, 9:30 PM

Updated: Feb 26, 2026, 9:30 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Destination Topic Write Permission Vulnerability in Post Moving Action

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating