CVE-2026-27934 HIGH

CVE-2026-27934: Discourse leaks private topic title and post excerpt via user action API endpoint

Vendor Discourse
Product discourse
Weakness CWE-201
Published March 19, 2026
Last update March 20, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
March 20, 2026 Record updated