CVE-2026-21865 (GCVE-0-2026-21865)

Vulnerability from cvelistv5 – Published: 2026-01-28 19:51 – Updated: 2026-01-28 20:10
VLAI
Title
Discourse topic conversion permission vulnerability for moderators
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
discourse discourse Affected: < 3.5.4
Affected: >= 2025.11.0-latest, < 2025.11.2
Affected: >= 2025.12.0-latest, < 2025.12.1
Affected: >= 2026.1.0-latest, < 2026.1.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21865",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T20:09:33.152008Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T20:10:06.915Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "discourse",
          "vendor": "discourse",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.5.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2025.11.0-latest, \u003c 2025.11.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2025.12.0-latest, \u003c 2025.12.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 2026.1.0-latest, \u003c 2026.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn\u0027t have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the \"personal message enabled groups\" site setting until the Discourse instance has been upgraded to a version that has been patched."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T19:51:37.991Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39"
        }
      ],
      "source": {
        "advisory": "GHSA-4777-wrv5-3g39",
        "discovery": "UNKNOWN"
      },
      "title": "Discourse topic conversion permission vulnerability for moderators"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-21865",
    "datePublished": "2026-01-28T19:51:37.991Z",
    "dateReserved": "2026-01-05T16:44:16.368Z",
    "dateUpdated": "2026-01-28T20:10:06.915Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-21865",
      "date": "2026-07-15",
      "epss": "0.00222",
      "percentile": "0.12744"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-21865\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-28T20:16:14.530\",\"lastModified\":\"2026-06-17T10:19:03.310\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn\u0027t have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the \\\"personal message enabled groups\\\" site setting until the Discourse instance has been upgraded to a version that has been patched.\"},{\"lang\":\"es\",\"value\":\"Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. En versiones anteriores a 3.5.4, 2025.11.2, 2025.12.1 y 2026.1.0, los moderadores pueden convertir algunos mensajes personales en temas p\u00fablicos cuando no deber\u00edan tener acceso. Este problema est\u00e1 parcheado en las versiones 3.5.4, 2025.11.2, 2025.12.1 y 2026.1.0. Como soluci\u00f3n alternativa, el administrador del sitio puede revocar temporalmente el rol de moderaci\u00f3n a los moderadores no confiables o eliminar el grupo de moderadores de la configuraci\u00f3n del sitio \u0027grupos con mensajes personales habilitados\u0027 hasta que la instancia de Discourse haya sido actualizada a una versi\u00f3n que haya sido parcheada.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"discourse\",\"product\":\"discourse\",\"versions\":[{\"version\":\"\u003c 3.5.4\",\"status\":\"affected\"},{\"version\":\"\u003e= 2025.11.0-latest, \u003c 2025.11.2\",\"status\":\"affected\"},{\"version\":\"\u003e= 2025.12.0-latest, \u003c 2025.12.1\",\"status\":\"affected\"},{\"version\":\"\u003e= 2026.1.0-latest, \u003c 2026.1.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-28T20:09:33.152008Z\",\"id\":\"CVE-2026-21865\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*\",\"versionEndExcluding\":\"3.5.4\",\"matchCriteriaId\":\"FDBF21E2-1191-4020-A17A-0702DE4E6451\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*\",\"versionStartIncluding\":\"2025.11.0\",\"versionEndExcluding\":\"2025.11.2\",\"matchCriteriaId\":\"539B5B85-44F0-408E-B994-08BB20EA9C26\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:2025.12.0:*:*:*:stable:*:*:*\",\"matchCriteriaId\":\"CCBF47A8-0D3F-4174-8084-CD3517BF272A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:discourse:discourse:2026.1.0:*:*:*:stable:*:*:*\",\"matchCriteriaId\":\"F6CF5F98-F08F-4B28-BBE2-8296760A547E\"}]}]}],\"references\":[{\"url\":\"https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "redhat_vex": {
      "current_release_date": "2026-01-29T21:21:02+00:00",
      "cve": "CVE-2026-21865",
      "id": "CVE-2026-21865",
      "initial_release_date": "2026-01-01T00:00:00+00:00",
      "product_status:known_not_affected": "1",
      "source": "Red Hat CSAF VEX",
      "status": "final",
      "title": "Discourse topic conversion permission vulnerability for moderators",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21865.json",
      "version": "3"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-21865\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-28T20:09:33.152008Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-28T20:09:49.084Z\"}}], \"cna\": {\"title\": \"Discourse topic conversion permission vulnerability for moderators\", \"source\": {\"advisory\": \"GHSA-4777-wrv5-3g39\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"discourse\", \"product\": \"discourse\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.5.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2025.11.0-latest, \u003c 2025.11.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2025.12.0-latest, \u003c 2025.12.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2026.1.0-latest, \u003c 2026.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39\", \"name\": \"https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn\u0027t have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the \\\"personal message enabled groups\\\" site setting until the Discourse instance has been upgraded to a version that has been patched.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-28T19:51:37.991Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-21865\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-28T20:10:06.915Z\", \"dateReserved\": \"2026-01-05T16:44:16.368Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-28T19:51:37.991Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…