Discourse
Moderate fix3 remedies
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 2026.2.0-latest
- >= 2026.1.0-latest
Discourse Improper Authorization Vulnerability in Post Edits Report for Moderators
Vulnerability
Patched
A vulnerability in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, allowed moderators to access the first 40 characters of post edits from private messages and secure categories. This information was inadvertently leaked through the Post Edits admin report, creating an improper authorization issue by giving moderators access to content they should not see.
Impact
The vulnerability could lead to unauthorized disclosure of private message content, specifically post edits, to moderators who do not have the appropriate access rights.
Reproduction
To reproduce this vulnerability, a moderator can access the Post Edits admin report. Edits made to posts in private messages or secure categories will be visible, despite the moderator not having permission to view that content.
Remediation
Users can update to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, where this vulnerability has been patched.
Added: Mar 19, 2026, 11:20 PM
Updated: Mar 19, 2026, 11:20 PM
Vulnerability Rating
Custom Algorithm
spread
2.4impact
0.6exploitability
3.9remediation
7.7relevance
4.1threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.