CVE-2026-33251

MEDIUM5.4EPSS 0.06%

Discourse has a Hidden Solved topics permission bypass

Published: 3/27/2026Modified: 4/2/2026

Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, ensure only trusted users are part of the Site Setting for accept_all_solutions_allowed_groups.

Affected packages (1)

Bitnami/discourse>= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (2)

WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-vm2x-9h8x-7jxm
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-33251