Nixpkgs security tracker
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
5 packages
- discourse-mail-receiver
- python312Packages.pydiscourse
- python313Packages.pydiscourse
- python314Packages.pydiscourse
- grafanaPlugins.grafana-discourse-datasource
- @LeSuisse accepted
- @LeSuisse published on GitHub
Discourse doesn't validate destination topic when moving posts
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. This allowed TL4 users and category group moderators to move posts into topics in categories where they lack posting privileges (e.g., read-only categories or categories with group-restricted write access). Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
References
-
https://github.com/discourse/discourse/security/advisories/GHSA-m69h-9m2g-cfgw x_refsource_CONFIRM
Affected products
- ==< 2025.12.2
- ==>= 2026.2.0-latest, < 2026.2.0
- ==>= 2026.1.0-latest, < 2026.1.1
Matching in nixpkgs
pkgs.discourse
Discourse is an open source discussion platform
Ignored packages (5)
pkgs.discourse-mail-receiver
Helper program which receives incoming mail for Discourse
pkgs.python312Packages.pydiscourse
Python library for working with Discourse
pkgs.python313Packages.pydiscourse
Python library for working with Discourse
pkgs.python314Packages.pydiscourse
Python library for working with Discourse
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
Package maintainers
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>