Discourse, Restriction Bypass, CVE-2026-27936 (Medium)

Listen to this Post

The vulnerability CVE-2026-27936 exists in Discourse, an open-source discussion platform, due to improper authorization checks when handling post action counts. In affected versions, the API endpoint responsible for retrieving aggregated counts of restricted post actions (such as likes, flags, or bookmarks) does not adequately verify the requester’s privileges. A remote, unauthenticated attacker can craft a specific request—likely manipulating parameters or the endpoint structure—to bypass these access controls. This flaw allows the disclosure of sensitive metadata about post interactions that should only be visible to privileged users like moderators or admins. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) and no user interaction (UI:N). The impact is limited to confidentiality, specifically the unauthorized viewing of restricted interaction counts (VC:L). Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 are vulnerable. The issue is patched in the mentioned versions, and no workarounds are available. The CVSS 4.0 score is 6.9 MEDIUM.
Platform: Discourse
Version: pre-2026.3.0-latest.1
Vulnerability : Restriction Bypass
Severity: Medium
date: 2026-03-19

Prediction: 2026-03-20

What Undercode Say:

Analytics

Simulate a crafted request to bypass restrictions
curl -X GET "https://discourse.example.com/posts/123/action_counts?restricted=true" \
-H "User-Agent: Mozilla/5.0" \
-H "Accept: application/json"

Exploit:

An unauthenticated attacker sends a manipulated API request to `/post_action_counts` with specific parameters that bypass privilege checks, revealing counts of flags and other restricted actions.

Protection from this CVE:

Upgrade to versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 immediately. Apply the official patch from GitHub; no configuration workarounds exist.

Impact:

Non-privileged users can enumerate sensitive post interaction data (e.g., flags, bookmarks) intended only for moderators, potentially exposing moderation activity and user behavior metrics.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top