{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.700Z", "datePublished": "2026-03-20T02:55:58.300Z", "dateUpdated": "2026-03-21T02:54:32.524Z"}, "containers": {"cna": {"title": "Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": "< 2026.3.0-latest.1", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:55:58.300Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-jj9p-p7m6-jq96", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T02:54:20.305999Z", "id": "CVE-2026-30888", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T02:54:32.524Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T02:54:20.305999Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T02:54:28.617Z"}}], "cna": {"title": "Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint", "source": {"advisory": "GHSA-jj9p-p7m6-jq96", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": "< 2026.3.0-latest.1"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:55:58.300Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30888", "state": "PUBLISHED", "dateUpdated": "2026-03-21T02:54:32.524Z", "dateReserved": "2026-03-06T00:04:56.700Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T02:55:58.300Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Las versiones anteriores a 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 permiten a un moderador editar documentos de pol\u00edtica del sitio (T\u00e9rminos de Servicio, directrices, pol\u00edtica de privacidad) que tienen expl\u00edcitamente prohibido modificar. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-30888", "lastModified": "2026-03-24T19:59:16.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T03:15:58.860", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026.3.0-latest.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2026.1.0-latest,2026.1.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-24T22:27:21.043802+00:00", "value": {"mitigation_remediation": ["Update Discourse to the patched release 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2", "Verify that policy documents are no longer editable by moderator accounts after the update", "Audit moderator activity logs for any unauthorized policy edits", "Apply least\u2011privilege controls to restrict moderator permissions to only what is necessary for their role"], "summary": {"action": "Apply patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Discourse releases older than 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2. Any installation running one of those pre\u2011patched versions is susceptible. The affected product is identified as Discourse by the CNA, and the specific versions are listed in the advisory.", "description_and_impact": "Discourse, the open\u2011source discussion platform, contains a flaw that allows a moderator to craft a request to the suspend/silence endpoint with an arbitrary post_id. Through this avenue the moderator can edit site policy documents\u2014such as the Terms of Service, community guidelines, and privacy policy\u2014that are normally protected from modification. This flaw removes a critical guardrail, enabling the unauthorized alteration of the legal and operational framework of the site.", "risk_and_exploitability": "The CVSS score of 2.2 indicates a low severity rating, and an EPSS score of less than 1% suggests that exploitation is unlikely in the wild. The description does not indicate an external attack vector; based on the information, it is inferred that the exploit requires a moderator account, which is a role normally granted to trusted staff. Because the vulnerability is not present in the CISA KEV catalog, there is no evidence of active exploitation. The overall risk to an organization is therefore low, assuming that only legitimate moderators have access and have not abused their elevated permissions."}}}}, "created": "2026-03-20T08:52:56.953253+00:00", "updated": "2026-03-25T14:09:35.392710+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}