Primary

Context

Discourse Unauthorized Topic Creation in Staff-Only Categories Vulnerability

Vulnerability

Patched

A vulnerability exists in Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, allowing TL4 users to publish topics in staff-only categories. This is achieved through the 'publish_to_category' topic timer, which bypasses necessary authorization checks. The vulnerability arises from inadequate permission controls, enabling unauthorized access to restricted categories.

Impact

Exploitation of this vulnerability allows for unauthorized topic creation in staff-only categories, potentially leading to the dissemination of inappropriate or disruptive content within those spaces.

Remediation

Users can upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0 to address this vulnerability.

Added: Feb 26, 2026, 10:29 PM

Updated: Feb 26, 2026, 10:29 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

2.8

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

2.8

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Unauthorized Topic Creation in Staff-Only Categories Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating