Primary

Context

Discourse Post Edits Admin Report Privilege Escalation Vulnerability

Vulnerability

Patched

A vulnerability in Discourse's Post Edits admin report feature allowed unauthorized access to private message content and secure category posts. Moderators could inadvertently view the first 40 characters of raw post edits from these restricted areas, violating privacy protocols. This issue affected Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2.

Impact

The vulnerability could lead to unauthorized disclosure of private message content and secure category posts to moderators.

Reproduction

The vulnerability can be reproduced by accessing the Post Edits admin report as a moderator. This will reveal leaked content from private messages and secure categories.

Remediation

Users can upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 to address this vulnerability.

Added: Mar 19, 2026, 10:21 PM

Updated: Mar 19, 2026, 10:21 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.3

remediation

7.7

relevance

4.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.3

remediation

7.7

relevance

4.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Post Edits Admin Report Privilege Escalation Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating