{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27491", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T19:46:03.541Z", "datePublished": "2026-03-19T20:47:54.668Z", "dateUpdated": "2026-03-19T20:47:54.668Z"}, "containers": {"cna": {"title": "Discourse has a bypass of official warnings messages by non-staff users", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-xq37-5fvf-4m4j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-xq37-5fvf-4m4j"}, {"name": "https://github.com/discourse/discourse/commit/60a588f4da4ab0feceb2c44787d4261b4f8757be", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/60a588f4da4ab0feceb2c44787d4261b4f8757be"}, {"name": "https://github.com/discourse/discourse/commit/d3cb203feabc46d765ecb91f348613a2bd531b89", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/d3cb203feabc46d765ecb91f348613a2bd531b89"}, {"name": "https://github.com/discourse/discourse/commit/f5fef73827da7520efc517357bd2a6bab35d7886", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/f5fef73827da7520efc517357bd2a6bab35d7886"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:47:54.668Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the attacker to be a logged-in user and to send a specifically crafted request. No data exposure or privilege escalation beyond the ability to create unauthorized user warnings was possible. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-xq37-5fvf-4m4j", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the attacker to be a logged-in user and to send a specifically crafted request. No data exposure or privilege escalation beyond the ability to create unauthorized user warnings was possible. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "id": "CVE-2026-27491", "lastModified": "2026-03-19T21:17:09.090", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:09.090", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/60a588f4da4ab0feceb2c44787d4261b4f8757be"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/d3cb203feabc46d765ecb91f348613a2bd531b89"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/f5fef73827da7520efc517357bd2a6bab35d7886"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-xq37-5fvf-4m4j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-19T22:26:47.616355+00:00", "value": {"mitigation_remediation": ["Upgrade to Discourse version 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2 where the type coercion issue has been patched"], "summary": {"action": "Patch Upgrade", "impact": "Unauthorized Moderation Actions (Warning Message Bypass)"}, "threat_synthesis": {"affected_systems": "The affected product is Discourse, the open-source discussion platform. Versions prior to 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2 are vulnerable. These releases allow the abuse of the post actions API for warning creation by non\u2011staff users.", "description_and_impact": "This vulnerability is a type coercion issue in Discourse's post actions API that allows authenticated, non\u2011staff users to issue warnings to other users. Warning messages are a staff\u2011only moderation feature. Exploiting the flaw can create unauthorized user warnings but does not provide data exposure or privilege escalation. The weakness corresponds to CWE\u2011862 (Missing Authorization Check). The CVSS score of 6.9 indicates moderate severity.", "risk_and_exploitability": "The flaw requires the attacker to be a logged\u2011in user and to send a specifically crafted request to the post actions endpoint. The attack vector is network based and does not involve remote code execution or data exfiltration. With a CVSS score of 6.9, the risk is moderate. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. However, the need for authenticated access means that any user already logged in can abuse the feature to generate false warnings."}}}}, "created": "2026-03-20T08:56:08.149961+00:00", "updated": "2026-03-20T11:06:18.014326+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}