{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28282", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.735Z", "datePublished": "2026-03-19T21:45:13.648Z", "dateUpdated": "2026-03-20T18:10:26.922Z"}, "containers": {"cna": {"title": "Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf"}, {"name": "https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add"}, {"name": "https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b"}, {"name": "https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:48:54.093Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting."}], "source": {"advisory": "GHSA-6cc8-x3rm-j5pf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T17:00:56.189009Z", "id": "CVE-2026-28282", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:10:26.922Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28282", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T17:00:56.189009Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:01:00.627Z"}}], "cna": {"title": "Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin", "source": {"advisory": "GHSA-6cc8-x3rm-j5pf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": "= 2026.3.0-latest"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add", "name": "https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b", "name": "https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951", "name": "https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:48:54.093Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28282", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:10:26.922Z", "dateReserved": "2026-02-26T01:52:58.735Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T21:45:13.648Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Las versiones anteriores a 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 tienen una falla de seguridad en el plugin discourse-policy que permit\u00eda a un usuario con permiso de creaci\u00f3n de pol\u00edticas obtener acceso de membres\u00eda a cualquier grupo privado/restringido. Una vez que se ha obtenido la membres\u00eda a un grupo privado/restringido, el usuario podr\u00e1 leer temas privados a los que solo el grupo tiene acceso. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche. Como soluci\u00f3n alternativa, revise todas las pol\u00edticas para el uso de 'add-users-to-group' y elimine temporalmente el atributo de la pol\u00edtica. Alternativamente, deshabilite el plugin discourse-policy deshabilitando la configuraci\u00f3n del sitio 'policy_enabled'."}], "id": "CVE-2026-28282", "lastModified": "2026-03-23T20:16:43.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:31.317", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-24T03:48:39.012773+00:00", "value": {"mitigation_remediation": ["Update Discourse to version 2026.3.0\u2011latest.1 or newer, or to the 2026.2.1 or 2026.1.2 patched releases.", "If a quick upgrade is not possible, review all policies that use add\u2011users\u2011to\u2011group and remove that attribute from the policy until a patch is applied.", "Alternatively, disable the discourse\u2011policy plugin by setting policy_enabled to false in the site settings.", "Restrict policy\u2011creation permission to trusted administrators and audit existing policies regularly."], "summary": {"action": "Apply patch", "impact": "Unauthorized group membership addition exposing private content"}, "threat_synthesis": {"affected_systems": "Discourse, the open\u2011source discussion software, is affected. Versions older than 2026.3.0\u2011latest.1, prior to 2026.2.1, and prior to 2026.1.2. The patch is supplied in releases 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2.", "description_and_impact": "The flaw resides in the discourse-policy plugin of the Discourse forum platform. A user with permission to create or edit policies can exploit the add\u2011users\u2011to\u2011group capability to forcefully join any private or restricted group. This sidesteps the normal access controls and lets the user read topics that are otherwise protected to group members. The weakness involves improper authorization logic, classified as CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 2.3 indicates low severity, yet the vulnerability permits privilege escalation within the application for users with policy\u2011creation rights. EPSS is below 1%, implying low exploitation probability. It is not listed in the CISA KEV catalog. The attack vector is application\u2011level and requires an authenticated user who currently has permission to create or modify policies; no external network exposure is needed. This inference is based on the description provided."}}}}, "created": "2026-03-20T08:55:30.072166+00:00", "updated": "2026-03-25T11:54:39.061728+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}