Primary

Context

Discourse Whispers Access Control Vulnerability in `posts_nearby` Function

Vulnerability

Patched

A vulnerability exists in Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, where the `posts_nearby` function improperly handles topic access. It returns all posts regardless of type, including whispers that should only be visible to specific users. This issue can lead to unauthorized visibility of private messages. The vulnerability arises because the function does not correctly filter post types based on user permissions. Instead of using the appropriate access control method, it exposes sensitive information by including whispers in the response.

Impact

This vulnerability can cause unauthorized exposure of whispers, allowing users to see private messages that should be restricted to certain individuals.

Remediation

Users can upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0 to address this vulnerability.

Added: Feb 26, 2026, 9:30 PM

Updated: Feb 26, 2026, 9:30 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

3.3

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Whispers Access Control Vulnerability in `posts_nearby` Function

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating