CVE-2026-26973

描述

Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belonging to a category moderation group can create or delete their own notes on **any** reviewable in the system, including reviewables in categories they do not moderate. The controller used an unscoped `Reviewable.find` and the `ensure_can_see` guard only checked whether the user could access the review queue in general, not whether they could access the specific reviewable. Only instances with `enable_category_group_moderation` enabled are affected. Staff users (admins/moderators) are not impacted as they already have access to all reviewables. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by scoping the reviewable lookup through `Reviewable.viewable_by(current_user)`. As a workaround, disable the `enable_category_group_moderation` site setting. This removes the attack surface as only staff users will have access to the review queue.

受影響套件(1)

• Bitnami/discoursefrom 0, < 2025.12.2, >= 2026.1.0, < 2026.1.1

CVSS 分數

參考連結(2)

• WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-c587-qx78-vhmx
• WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-26973