NIXPKGS-2026-0435

GitHub issue published on 27 Feb 2026

Permalink CVE-2026-26207

5.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
5 packages
- discourse-mail-receiver
- python312Packages.pydiscourse
- python313Packages.pydiscourse
- python314Packages.pydiscourse
- grafanaPlugins.grafana-discourse-datasource
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

DIscourse's discourse-policy plugin lacks post access check

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The `PolicyController` loads posts by ID without verifying the current user's access, enabling policy group members to accept/unaccept policies on posts in private categories or PMs they cannot see and any authenticated user to enumerate which post IDs have policies attached via differentiated error responses (information disclosure). The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by adding a `guardian.can_see?(@post)` check in the `set_post` before_action, ensuring post visibility is verified before any policy action is processed. As a workaround, disabling the discourse-policy plugin (`policy_enabled = false`) eliminates the vulnerability. There is no other workaround without upgrading.

References

https://github.com/discourse/discourse/security/advisories/GHSA-jr4h-w6p5-w55r x_refsource_CONFIRM

Affected products

discourse

==< 2025.12.2
==>= 2026.1.0-latest, < 2026.1.1
==>= 2026.2.0-latest, < 2026.2.0

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2025.12.1
- nixpkgs-unstable 2025.12.1
- nixos-unstable-small 2025.12.1
nixos-25.11 2025.12.1
- nixos-25.11-small 2025.12.1
- nixpkgs-25.11-darwin 2025.12.1

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2025.12.1
- nixpkgs-unstable 2025.12.1
- nixos-unstable-small 2025.12.1
nixos-25.11 2025.12.1
- nixos-25.11-small 2025.12.1
- nixpkgs-25.11-darwin 2025.12.1

Ignored packages (5)

pkgs.discourse-mail-receiver

Helper program which receives incoming mail for Discourse

nixos-unstable 4.1.0
- nixpkgs-unstable 4.1.0
- nixos-unstable-small 4.1.0
nixos-25.11 4.1.0
- nixos-25.11-small 4.1.0
- nixpkgs-25.11-darwin 4.1.0

pkgs.python312Packages.pydiscourse

Python library for working with Discourse

nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python313Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0
nixos-25.11 1.7.0
- nixos-25.11-small 1.7.0
- nixpkgs-25.11-darwin 1.7.0

pkgs.python314Packages.pydiscourse

Python library for working with Discourse

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.grafanaPlugins.grafana-discourse-datasource

Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana

nixos-unstable 2.0.2
- nixpkgs-unstable 2.0.2
- nixos-unstable-small 2.0.2
nixos-25.11 2.0.2
- nixos-25.11-small 2.0.2
- nixpkgs-25.11-darwin 2.0.2

Package maintainers

@talyz Kim Lindberger <kim.lindberger@gmail.com>

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-jr4h-w6p5-w55r

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0435

References

Affected products

Matching in nixpkgs

pkgs.discourse

pkgs.discourseAllPlugins

pkgs.discourse-mail-receiver

pkgs.python312Packages.pydiscourse

pkgs.python313Packages.pydiscourse

pkgs.python314Packages.pydiscourse

pkgs.grafanaPlugins.grafana-discourse-datasource

Package maintainers