CVE-2026-26973

Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belonging to a category moderation group can create or delete their own notes on **any** reviewable in the system, including reviewables in categories they do not moderate. The controller used an unscoped `Reviewable.find` and the `ensure_can_see` guard only checked whether the user could access the review queue in general, not whether they could access the specific reviewable. Only instances with `enable_category_group_moderation` enabled are affected. Staff users (admins/moderators) are not impacted as they already have access to all reviewables. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by scoping the reviewable lookup through `Reviewable.viewable_by(current_user)`. As a workaround, disable the `enable_category_group_moderation` site setting. This removes the attack surface as only staff users will have access to the review queue.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-c587-qx78-vhmx	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse::::::::
	cpe:2.3:a:discourse:discourse:2026.2.0::::latest:::

History

No history.

Information

Published : 2026-02-26 20:31

Updated : 2026-03-02 21:36

NVD link : CVE-2026-26973

Mitre link : CVE-2026-26973

CVE.ORG link : CVE-2026-26973

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-863

Incorrect Authorization

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-26973", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-26T20:31:37.327", "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-c587-qx78-vhmx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belonging to a category moderation group can create or delete their own notes on **any** reviewable in the system, including reviewables in categories they do not moderate. The controller used an unscoped `Reviewable.find` and the `ensure_can_see` guard only checked whether the user could access the review queue in general, not whether they could access the specific reviewable. Only instances with `enable_category_group_moderation` enabled are affected. Staff users (admins/moderators) are not impacted as they already have access to all reviewables. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by scoping the reviewable lookup through `Reviewable.viewable_by(current_user)`. As a workaround, disable the `enable_category_group_moderation` site setting. This removes the attack surface as only staff users will have access to the review queue."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Versiones anteriores a 2025.12.2, 2026.1.1 y 2026.2.0 tienen una IDOR (Referencia Directa Insegura a Objeto) en `ReviewableNotesController`. Cuando `enable_category_group_moderation` est\u00e1 habilitado, un usuario que pertenece a un grupo de moderaci\u00f3n de categor\u00eda puede crear o eliminar sus propias notas en cualquier elemento revisable del sistema, incluyendo elementos revisables en categor\u00edas que no modera. El controlador us\u00f3 un `Reviewable.find` sin \u00e1mbito y la protecci\u00f3n `ensure_can_see` solo verificaba si el usuario pod\u00eda acceder a la cola de revisi\u00f3n en general, no si pod\u00eda acceder al elemento revisable espec\u00edfico. Solo las instancias con `enable_category_group_moderation` habilitado se ven afectadas. Los usuarios del personal (administradores/moderadores) no se ven afectados ya que ya tienen acceso a todos los elementos revisables. El problema est\u00e1 parcheado en las versiones 2025.12.2, 2026.1.1 y 2026.2.0 al limitar la b\u00fasqueda de elementos revisables a trav\u00e9s de `Reviewable.viewable_by(current_user)`. Como soluci\u00f3n alternativa, deshabilite la configuraci\u00f3n del sitio `enable_category_group_moderation`. Esto elimina la superficie de ataque ya que solo los usuarios del personal tendr\u00e1n acceso a la cola de revisi\u00f3n."}], "lastModified": "2026-03-02T21:36:35.657", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DB837D7-28C8-4E0F-B55F-AAAA36F32035", "versionEndExcluding": "2025.12.0"}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CAFCC9D-53D7-4017-85A5-EE6CA5A6A11C", "versionEndExcluding": "2026.1.1", "versionStartIncluding": "2026.1.0"}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*", "vulnerable": true, "matchCriteriaId": "BB002FDC-BC71-4C46-8AAF-A34EC717E0E7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}