CVE-2026-28227
Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category
In short
Discourse allows trusted users (TL4) to post topics in staff-only categories by using a scheduled topic timer feature, bypassing the intended access restrictions. This lets unauthorized users create content in restricted areas.
Technical detail
TL4 users can bypass authorization checks in Discourse by leveraging the `publish_to_category` topic timer mechanism to publish topics into staff-only categories. The vulnerability stems from insufficient permission validation during the topic timer execution, allowing privilege escalation to restricted content areas.
Summary generated and translated by AI from the official description.
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the `publish_to_category` topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
Affected products
discourse · discourseWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →