CVE-2026-27935

Discourse leaks private topic metadata to non-authorized users

Description

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

INFO

Published Date :

2026-03-19T21:33:38.459Z

Last Modified :

2026-03-20T16:28:35.052Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-27935 vulnerability.

Vendors	Products
Discourse	Discourse

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27935.

URL	Resource
https://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc
https://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897
https://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab
https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability