CVE-2026-26979

EUVD-2026-8879
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.7 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
discoursediscourse
𝑥
< 2025.12.0
discoursediscourse
2026.1.0 ≤
𝑥
< 2026.1.1
discoursediscourse
2026.2.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/discourse/discourse/security/advisories/GHSA-9c7p-fqc5-c24f