Listen to this Post
The vulnerability resides in the discourse-policy plugin, a component that allows administrators to define automated policies based on user actions. In versions prior to the patched releases, a user with policy creation permission (typically a moderator or admin) could abuse the `add-users-to-group` policy attribute. By crafting or modifying a policy, the attacker could specify any private or restricted group—including those they normally do not belong to—and force the policy to add themselves (or arbitrary users) as members. This bypasses the normal group membership restrictions because the plugin lacks sufficient validation that the user manipulating the policy already has access to the target group. Once added to a private group, the attacker can read all topics and categories scoped to that group, leading to unauthorized information disclosure. The issue affects all Discourse installations using the discourse-policy plugin with versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The patch introduces checks ensuring that a user modifying a policy must have at least view permission for any group specified in add-users-to-group; otherwise, the operation is rejected. As a temporary workaround, administrators can either remove all occurrences of `add-users-to-group` from existing policies or disable the plugin entirely by setting `policy_enabled` to `false` in the site settings.
dailycve form
Platform: Discourse
Version: Prior patched
Vulnerability: Privilege escalation
Severity: High
Date: 2026-03-19
Prediction: Already patched March
What Undercode Say:
Check Discourse version grep "VERSION" lib/version.rb 2>/dev/null || cat config/version.rb | grep -i version Check discourse-policy plugin version grep -i "version" plugins/policy/plugin.rb 2>/dev/null || echo "Plugin not present" Verify if policy_enabled site setting is active (rails console) rails console -e production <<EOF puts SiteSetting.policy_enabled EOF List all policies that contain add-users-to-group (admin DB query) psql -d discourse_production -c "SELECT id, name, definition FROM policies WHERE definition ILIKE '%add-users-to-group%';"
Exploit:
1. Obtain a user account with `policy_creator` permission (moderator or admin).
2. Navigate to the Policies section in the Discourse admin panel.
3. Create a new policy or edit an existing one.
4. In the policy definition, add the action `add-users-to-group` with the target group set to any private/restricted group (e.g., group: "secret_team").
5. Trigger the policy (or wait for its scheduled run) – the attacker will be added to that group.
6. Access private topics and categories formerly restricted to that group.
Protection from this CVE
- Upgrade to Discourse version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 immediately.
- If upgrading is not possible, disable the discourse-policy plugin via the site setting: set `policy_enabled` to
false. - Alternatively, review all existing policies and delete the `add-users-to-group` attribute from every policy definition.
- Restrict policy creation permissions to only trusted administrators.
Impact
- Unauthorized membership in any private/restricted group.
- Full read access to all topics and categories that are scoped to those groups.
- Potential exposure of sensitive discussions, private data, and internal communications.
- No direct write or code execution, but the information disclosure can be critical for targeted attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

