Primary

Context

Discourse DM Communication-Preference Bypass Vulnerability

Vulnerability

Patched

A vulnerability in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 allows users to bypass direct message (DM) communication preferences when adding members to existing DM channels. This issue arises because users can include targets who have blocked, ignored, or muted them, circumventing the per-recipient private message restrictions that are normally applied during the creation of DM channels. The vulnerability has been patched in versions 2025.12.2, 2026.1.1, and 2026.2.0.

Impact

Exploitation of this vulnerability allows for a bypass of DM communication preferences, enabling users to add others to DM channels despite existing blocks or mutes, thus undermining the intended privacy controls.

Remediation

Users can upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0 to address this vulnerability.

Added: Feb 26, 2026, 9:30 PM

Updated: Feb 26, 2026, 9:30 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

2.9

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

2.9

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse DM Communication-Preference Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating