Discourse Authorization Bypass Vulnerability in Post Revisions

An authorization bypass vulnerability has been identified in Discourse, an open-source discussion platform, affecting versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The issue arises in the posts endpoint, where requests to /posts/:id.json?version=X could bypass authorization checks on post revisions. The vulnerability allowed users to access hidden revisions, intentionally concealed by staff, simply by enumerating version numbers. This was possible because the display_post method directly called post.revert_to without verifying if the revision was hidden or if the user had permission to view edit history.

Impact

Exploitation of this vulnerability allowed unauthorized users to access hidden post revisions, including content intentionally concealed by staff.

Reproduction

To reproduce this vulnerability, request the /posts/:id.json?version=X endpoint without the necessary authorization checks. This can be done by a user who does not have permission to view the post revisions, such as a regular user or an anonymous user. The response will include hidden revisions by simply changing the version number.

Remediation

Users can upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, where this vulnerability has been patched.