← back
CVE-2026-26979

Discourse: TL4 users are able to change status of restricted topics

CVSS 0 NONEEPSS 0.2%CWE-862
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 0EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
26 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
discourse · discourse

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/discourse/discourse/security/advisories/GHSA-9c7p-fqc5-c24f