CVE-2026-27151 LOW

CVE-2026-27151: Discourse doesn't validate destination topic when moving posts

Vendor Discourse
Product discourse
Weakness CWE-862 · Missing authorization
Published February 26, 2026
Last update March 3, 2026
View on NVD All CVEs

CVSS base score

1.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category group moderators to move posts into topics in categories where they lack posting privileges (e.g., read-only categories or categories with group-restricted write access). Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

Key dates

02Disclosure timeline

February 26, 2026 CVE published
March 3, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-32714 WordPress Academy LMS plugin <= 1.9.16 - Broken Access Control vulnerability CVE-2025-13493 Latest Registered Users <= 1.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via User Data Export CVE-2026-3651 Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action CVE-2023-47770 WordPress BeTheme theme <= 27.1.1 - Contributor+ Broken Access Control vulnerability CVE-2026-2651 Missing Authorization Validation in mlflow/mlflow