Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: discourse

Found 108 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2026-27454
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 months, 2 weeks ago Activity log
  • Created suggestion
Discourse has check revision visibility on posts endpoint

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, requesting /posts/:id.json?version=X bypassed authorization checks on post revisions. The display_post method called post.revert_to directly without verifying whether the revision was hidden or if the user had permission to view edit history. This meant hidden revisions (intentionally concealed by staff) could be read by any user by simply enumerating version numbers. Starting in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, Discourse looks up the PostRevision and call guardian.ensure_can_see! before reverting, consistent with how the /posts/:id/revisions/:revision endpoint already authorizes access. No known workarounds are available.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-33408
2.2 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
created 3 months, 2 weeks ago Activity log
  • Created suggestion
Discourse has Improper Authorization in "Post Edits" Report For Moderators

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Package maintainers

Untriaged
created 3 months, 2 weeks ago Activity log
  • Created suggestion
Discourse Vulnerable to Stored XSS via Shared AI Conversation Onebox

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, tighten access by changing the `ai_bot_public_sharing_allowed_groups` site setting.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Package maintainers

Untriaged
created 3 months, 2 weeks ago Activity log
  • Created suggestion
Discourse discloses restricted post-action counts to non-privileged users

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a restriction bypass allows restricted post action counts to be disclosed to non-privileged users through a carefully crafted request. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Package maintainers

Untriaged
Permalink CVE-2026-33410
5.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
created 3 months, 2 weeks ago Activity log
  • Created suggestion
Discourse hardens chat DM channel creation and expansion

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the `target_groups` parameter was passed directly to the user resolution query without checking group or member visibility for the acting user. An authenticated chat user could craft an API request with a known private/hidden group name and receive a channel containing that group's members, leaking their identities. Second, `can_chat?` only checked group membership, not the `chat_enabled` user preference. A chat-disabled user could create or query DM channels between other users via the direct messages API, potentially exposing private `last_message` content from the serialized channel response. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Package maintainers

Untriaged
created 3 months, 2 weeks ago Activity log
  • Created suggestion
Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.

Affected products

discourse
  • ==>= 2026.2.0-latest, < 2026.2.1
  • === 2026.3.0-latest
  • ==>= 2026.1.0-latest, < 2026.1.2

Matching in nixpkgs

Package maintainers

Untriaged
created 3 months, 2 weeks ago Activity log
  • Created suggestion
Discourse leaks private topic title and post excerpt via user action API endpoint

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Affected products

discourse
  • ==>= 2026.1.0-latest, < 2026.1.2
  • === 2026.3.0-latest
  • ==>= 2026.2.0-latest, < 2026.2.1

Matching in nixpkgs

Package maintainers

Published
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the `publish_to_category` topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

Affected products

discourse
  • ==< 2025.12.2
  • ==>= 2026.1.0-latest, < 2026.1.1
  • ==>= 2026.2.0-latest, < 2026.2.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-m49w-78mh-87jp
Published
Permalink CVE-2026-26078
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret.

Affected products

discourse
  • ==< 2025.12.2
  • ==>= 2026.1.0-latest, < 2026.1.1
  • ==>= 2026.2.0-latest, < 2026.2.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-frx4-wg35-4r68
Published
updated 4 months, 1 week ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    5 packages
    • discourse-mail-receiver
    • python312Packages.pydiscourse
    • python313Packages.pydiscourse
    • python314Packages.pydiscourse
    • grafanaPlugins.grafana-discourse-datasource
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Banners

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an improper authorization check in the topic management logic allows authenticated users to modify privileged attributes of their topics. By manipulating specific parameters in a PUT or POST request, a regular user can elevate a topic’s status to a site-wide notice or banner, bypassing intended administrative restrictions. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. There are no practical workarounds to prevent this behavior other than applying the security patch. Administrators concerned about unauthorized promotions should audit recent changes to site banners and global notices until the fix is deployed.

Affected products

discourse
  • ==< 2025.12.2
  • ==>= 2026.1.0-latest, < 2026.1.1
  • ==>= 2026.2.0-latest, < 2026.2.0

Matching in nixpkgs

Ignored packages (5)

Package maintainers

Upstream advisory: https://github.com/discourse/discourse/security/advisories/GHSA-8v26-9f7h-jc8x