Activity log
- Created suggestion
Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.
References
-
https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf x_refsource_CONFIRM
Affected products
- ==>= 2026.2.0-latest, < 2026.2.1
- === 2026.3.0-latest
- ==>= 2026.1.0-latest, < 2026.1.2
Matching in nixpkgs
pkgs.discourse
Open source discussion platform
pkgs.discourseAllPlugins
Open source discussion platform
pkgs.discourse-mail-receiver
Helper program which receives incoming mail for Discourse
pkgs.python312Packages.pydiscourse
None
pkgs.python313Packages.pydiscourse
Python library for working with Discourse
pkgs.python314Packages.pydiscourse
Python library for working with Discourse
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
Package maintainers
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>
-
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
-
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>