Auth bypass in Discourse

CVE-2026-28282

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access…

Vulnerability class: Broken Access Control

EPSS: 0.000 (5.2th percentile) — read the EPSS interpretation.

Affected products

Discourse — versions >= 2026.1.0-latest, < 2026.1.2, >= 2026.2.0-latest, < 2026.2.1, = 2026.3.0-latest

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf (x_refsource_CONFIRM)
https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add (x_refsource_MISC)
https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b (x_refsource_MISC)
https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951 (x_refsource_MISC)