CVE-2026-33408
LOW2.7EPSS 0.01%Discourse has Improper Authorization in "Post Edits" Report For Moderators
Published: 3/27/2026Modified: 4/2/2026
Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Affected packages (1)
- Bitnami/discourse>= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
References (5)
- WEBhttps://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c
- WEBhttps://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1
- WEBhttps://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800
- WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-33408