CVE-2026-26979

EPSS 0.05%

Discourse: TL4 users are able to change status of restricted topics

Published: 3/3/2026Modified: 3/3/2026

Also known as:GHSA-9c7p-fqc5-c24fBIT-discourse-2026-26979

Description

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

Affected packages (1)

Bitnami/discoursefrom 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References (2)

WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-9c7p-fqc5-c24f
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-26979