Description

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.

INFO

Published Date :

2026-03-19T21:45:13.648Z

Last Modified :

2026-03-20T18:10:26.922Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28282 vulnerability.

Vendors Products
Discourse
  • Discourse
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28282.

URL Resource
https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add cve-icon cve-icon
https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b cve-icon cve-icon
https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951 cve-icon cve-icon
https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability