Discourse Type Coercion Vulnerability in Post Actions API Endpoint Allows Unauthorized Warnings

A type coercion vulnerability has been identified in Discourse, an open-source discussion platform, prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The issue resides in a post actions API endpoint, where non-staff users were able to issue warnings to other users. Warnings are intended for staff-only moderation. This vulnerability required the user to be logged in and to send a specially crafted request. While it allowed the creation of unauthorized user warnings, it did not lead to any data exposure or privilege escalation beyond this.

Impact

Exploitation of this vulnerability allowed non-staff users to bypass moderation controls and issue warnings to other users, a capability reserved for staff members.

Reproduction

To reproduce this vulnerability, a logged-in non-staff user can send a request to the post actions API endpoint, including the 'is_warning' parameter. The absence of proper type casting allows the parameter to be interpreted as a boolean true, bypassing authorization checks and enabling the user to issue a warning.

Remediation

Users can update to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, all of which include the necessary patch.