Primary

Context

Discourse Unauthorized Access to Deleted Posts Vulnerability

Vulnerability

Patched

A vulnerability in Discourse prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows non-staff users with elevated group membership to access deleted posts of any user. This issue arises from an overly broad authorization check on the deleted posts index endpoint.

Impact

Exploitation of this vulnerability allows unauthorized access to deleted posts, potentially leading to the disclosure of sensitive information.

Remediation

Users are advised to upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

Added: Mar 21, 2026, 12:26 AM

Updated: Mar 21, 2026, 12:26 AM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

3.3

remediation

7.7

relevance

4.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

3.3

remediation

7.7

relevance

4.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Unauthorized Access to Deleted Posts Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating