CVE-2026-33428

EPSS 0.02%

Discourse Allows Unauthorized Access to Deleted Posts Index via Group Membership

Published: 3/27/2026Modified: 4/2/2026

Also known as:GHSA-frcw-p4mc-x6mpBIT-discourse-2026-33428

Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions 2026.3.0, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Affected packages (1)

Bitnami/discourse>= 2026.1.0, < 2026.1.2, >= 2026.2.0, < 2026.2.1, >= 2026.3.0, < 2026.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References (2)

WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-frcw-p4mc-x6mp
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-33428