CVE-2026-28282

UNKNOWN 0.0

Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

2th

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.

CWE	CWE-863
Vendor	discourse
Product	discourse
Published	Mar 19, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for discourse discourse

Be the first to know when new unknown vulnerabilities affecting discourse discourse are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

discourse / discourse

>= 2026.1.0-latest, < 2026.1.2 >= 2026.2.0-latest, < 2026.2.1 = 2026.3.0-latest

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf github.com: https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add github.com: https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b github.com: https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951