Volerion logoVolerion
Volerion logoVolerion

Discourse Authorization Bypass Vulnerability in Hidden Solved Topics Allowing Unauthorized Solution Management

Vulnerability

An authorization bypass vulnerability has been identified in Discourse, an open-source discussion platform. This vulnerability exists in hidden Solved topics and may allow unauthorized users to accept or unaccept solutions. It affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The issue arises from insufficient authorization checks, enabling unauthorized manipulation of solution statuses in certain topics.

Impact

Exploitation of this vulnerability could lead to unauthorized users being able to accept or unaccept solutions in hidden Solved topics, disrupting the intended authorization controls.

Remediation

Users can upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, all of which contain the necessary patch. As an additional step, it is recommended to ensure that only trusted users are included in the Site Setting for accept_all_solutions_allowed_groups.

Added: Mar 20, 2026, 11:23 PM
Updated: Mar 20, 2026, 11:23 PM

Vulnerability Rating

Custom Algorithm
spread
2.4
impact
0.6
exploitability
2.9
remediation
8.3
relevance
4.4
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.