Discourse: Category group moderators can perform actions on topics in...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did not have read access to. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Basic Information

ID CVE-2026-32615

Source GitHub_M

Published Mar 31, 2026 at 17:40

Modified Apr 1, 2026 at 18:06

Affected Product

Vendor discourse

Product discourse

Version >= 2026.1.0-latest, < 2026.1.3

Affected Versions discourse discourse >= 2026.1.0-latest, < 2026.1.3
discourse discourse >= 2026.2.0-latest, < 2026.2.2
discourse discourse >= 2026.3.0-latest, < 2026.3.0

CWE Classification

CWE-285

References

{
    "lastseen": "",
    "description": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did not have read access to. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.",
    "published": "2026-03-31T17:40:17.212Z",
    "modified": "2026-04-01T18:06:54.206Z",
    "type": "cve",
    "title": "Discourse: Category group moderators can perform actions on topics in restricted categories without read access",
    "source": "GitHub_M",
    "references": "https://github.com/discourse/discourse/security/advisories/GHSA-pr9m-5hpq-wc57\nhttps://github.com/discourse/discourse/commit/5a00b47523ec70cbb6e8efc3ac7677cc0a91448b",
    "id": "CVE-2026-32615",
    "bulletinFamily": "",
    "cwe": [
        "CWE-285"
    ],
    "cvelist": null,
    "sourceData": "discourse discourse >= 2026.1.0-latest, < 2026.1.3\ndiscourse discourse >= 2026.2.0-latest, < 2026.2.2\ndiscourse discourse >= 2026.3.0-latest, < 2026.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "discourse",
    "version": ">= 2026.1.0-latest, < 2026.1.3",
    "vendor": "discourse",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Discourse: Category group moderators can perform actions on topics in restricted categories without read access_CVE-2026-32615