Primary

Context

Discourse Policy Creation Vulnerability Allowing Unauthorized Users to Create Policy Acceptance Widgets

Vulnerability

Patched

A vulnerability in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows users not in the designated policy creation groups to create functional policy acceptance widgets in posts, under certain conditions. The issue arises from a missing permission check for policy creation. Exploitation of this vulnerability could lead to unauthorized policy acceptance actions being performed on behalf of the user.

Impact

This vulnerability could be exploited to bypass policy creation restrictions, allowing unauthorized users to create and manage policy acceptance widgets, which could be misused to manipulate policy compliance or engagement on the platform.

Remediation

Users can upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 to address this vulnerability. Alternatively, the Discourse policy plugin can be disabled by turning off the 'policy_enabled' site setting.

Added: Mar 19, 2026, 10:55 PM

Updated: Mar 19, 2026, 10:55 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.3

remediation

8.3

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.3

remediation

8.3

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Policy Creation Vulnerability Allowing Unauthorized Users to Create Policy Acceptance Widgets

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating