CVE-2026-26979 | THREATINT

Description

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

PUBLISHED Reserved 2026-02-17 | Published 2026-02-26 | Updated 2026-02-26 | Assigner GitHub_M

Problem types

CWE-862: Missing Authorization

Product status

< 2025.12.2

affected

>= 2026.1.0-latest, < 2026.1.1

affected

>= 2026.2.0-latest, < 2026.2.0

affected

References

github.com/...course/security/advisories/GHSA-9c7p-fqc5-c24f

cve.org (CVE-2026-26979)

nvd.nist.gov (CVE-2026-26979)

Download JSON