Discourse Discourse-Policy Plugin Group Membership Bypass Vulnerability

A vulnerability in the Discourse discussion platform's policy management feature allows users with permission to create policies to improperly gain access to private or restricted groups. This issue is present in Discourse versions through 2026.2.0-latest, 2026.1.0-latest, and 2026.2.0-latest. Once a user gains membership in a private group, they can read exclusive private topics. The vulnerability arises because the 'add-users-to-group' attribute in policies automatically enrolls users in groups without verifying if the policy creator can manage those groups.

Impact

Exploitation of this vulnerability allows unauthorized access to private group memberships, enabling users to read private topics exclusive to those groups.

Reproduction

To reproduce this vulnerability, create a policy that includes the 'add-users-to-group' attribute, targeting a private group. Once the policy is accepted, the user will be added to the group and gain access to its private topics.

Remediation

Users can update to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, all of which include the necessary patch. Alternatively, review and remove the 'add-users-to-group' attribute from existing policies, or disable the Discourse-Policy plugin by turning off the 'policy_enabled' site setting.