Discourse Improper Authorization Vulnerability in Topic Management Allows Privilege Escalation

A vulnerability in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, allows authenticated users to improperly modify certain attributes of their topics. This issue arises from an inadequate authorization check in the topic management process. By altering specific parameters in a PUT or POST request, a regular user can change a topic's status to a site-wide notice or banner, circumventing established administrative controls. There are no effective workarounds to address this issue, other than applying the available security patch. Administrators should review recent updates to site banners and global notices for unauthorized changes until the patch is implemented.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing regular users to promote topics to global banners or notices, bypassing administrative restrictions.

Remediation

Users should update to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0. Instructions for updating Discourse can be found in the Discourse official documentation.