Primary

Context

Discourse Authorization Bypass Vulnerability Allowing Access to Hidden Tags

Vulnerability

Patched

An authorization bypass vulnerability has been identified in Discourse, an open-source discussion platform. This vulnerability affects versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. The issue allows unauthenticated or unauthorized users to view hidden (staff-only) tags and their associated data. All Discourse instances with tagging enabled and staff-only tag groups configured are impacted.

Impact

Exploitation of this vulnerability allows unauthorized users to access and view staff-only tags and related data, bypassing the intended authorization controls.

Remediation

Users can upgrade to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0 to address this vulnerability.

Added: Apr 3, 2026, 10:18 PM

Updated: Apr 3, 2026, 10:18 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.7

remediation

7.7

relevance

5.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.7

remediation

7.7

relevance

5.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Authorization Bypass Vulnerability Allowing Access to Hidden Tags

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating