Discourse has a bypass of official warnings messages by non-staff users
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the attacker to be a logged-in user and to send a specifically crafted request. No data exposure or privilege escalation beyond the ability to create unauthorized user warnings was possible. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
References
- https://github.com/discourse/discourse/security/advisories/GHSA-xq37-5fvf-4m4j x_refsource_CONFIRM
- https://github.com/discourse/discourse/commit/60a588f4da4ab0feceb2c44787d4261b4f8757be x_refsource_MISC
- https://github.com/discourse/discourse/commit/d3cb203feabc46d765ecb91f348613a2bd531b89 x_refsource_MISC
- https://github.com/discourse/discourse/commit/f5fef73827da7520efc517357bd2a6bab35d7886 x_refsource_MISC
Affected products
- === 2026.3.0-latest
- ==>= 2026.2.0-latest, < 2026.2.1
- ==>= 2026.1.0-latest, < 2026.1.2
Matching in nixpkgs
pkgs.discourse
Discourse is an open source discussion platform
pkgs.discourseAllPlugins
Discourse is an open source discussion platform
pkgs.discourse-mail-receiver
Helper program which receives incoming mail for Discourse
pkgs.python312Packages.pydiscourse
Python library for working with Discourse
pkgs.python313Packages.pydiscourse
Python library for working with Discourse
pkgs.python314Packages.pydiscourse
Python library for working with Discourse
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
Package maintainers
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>
-
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
-
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>