Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the attacker to be a logged-in user and to send a specifically crafted request. No data exposure or privilege escalation beyond the ability to create unauthorized user warnings was possible. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

INFO

Published Date :

2026-03-19T20:47:54.668Z

Last Modified :

2026-03-20T20:20:00.790Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27491 vulnerability.

Vendors Products
Discourse
  • Discourse
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27491.

URL Resource
https://github.com/discourse/discourse/commit/60a588f4da4ab0feceb2c44787d4261b4f8757be cve-icon cve-icon
https://github.com/discourse/discourse/commit/d3cb203feabc46d765ecb91f348613a2bd531b89 cve-icon cve-icon
https://github.com/discourse/discourse/commit/f5fef73827da7520efc517357bd2a6bab35d7886 cve-icon cve-icon
https://github.com/discourse/discourse/security/advisories/GHSA-xq37-5fvf-4m4j cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability