Discourse Improper Access Control Vulnerability in Sentiment Analytics Endpoint Allows Unauthorized Content Exposure

A vulnerability in Discourse's sentiment analytics endpoint has been identified, affecting versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. This vulnerability allows authenticated moderator-level users to access post content, topic titles, and usernames from categories they are not authorized to view. The issue arises from inadequate access controls on the sentiment analytics endpoint, which failed to properly enforce category permission boundaries. As a result, sensitive information from restricted categories could be retrieved by moderators without the necessary permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized access to post content, topic titles, and usernames from restricted categories, allowing moderators to bypass established category permission boundaries.

Reproduction

To reproduce this vulnerability, an authenticated user with moderator privileges can send a request to the sentiment posts endpoint without the proper category permissions. The response will include posts from categories the moderator is not authorized to access. This can be tested by fabricating posts and topics in restricted categories and verifying that they are returned by the endpoint when requested by a moderator.

Remediation

Users are advised to update Discourse to version 2026.1.3, 2026.2.2, or 2026.3.0.