CVE-2026-33408

LOW 2.2

Discourse has Improper Authorization in "Post Edits" Report For Moderators

CVSS Score

2.2

EPSS Score

0.0%

EPSS Percentile

6th

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

CWE	CWE-862
Vendor	discourse
Product	discourse
Published	Mar 19, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for discourse discourse

Be the first to know when new low vulnerabilities affecting discourse discourse are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

discourse / discourse

>= 2026.1.0-latest, < 2026.1.2 >= 2026.2.0-latest, < 2026.2.1 = 2026.3.0-latest

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c github.com: https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c github.com: https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1 github.com: https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800