CVE-2026-21865 MEDIUM

CVE-2026-21865: Discourse topic conversion permission vulnerability for moderators

Vendor Discourse
Product discourse
Weakness CWE-862 · Missing authorization
Published January 28, 2026
Last update January 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched.

Key dates

02Disclosure timeline

January 28, 2026 CVE published
January 28, 2026 Record updated

Related vulnerabilities

04Related CVE