CVE-2026-21865 Overview
CVE-2026-21865 is a Missing Authorization vulnerability (CWE-862) in Discourse, the open source discussion platform. This security flaw allows moderators to convert certain personal messages to public topics even when they should not have access to those messages. The vulnerability represents a broken access control issue where privilege boundaries are not properly enforced, potentially exposing private communications to unintended audiences.
Critical Impact
Moderators can bypass access controls to convert personal messages into public topics, potentially exposing private user communications and sensitive information to a wider audience.
Affected Products
- Discourse versions prior to 3.5.4
- Discourse versions prior to 2025.11.2
- Discourse versions prior to 2025.12.1
- Discourse versions prior to 2026.1.0
Discovery Timeline
- 2026-01-28 - CVE CVE-2026-21865 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-21865
Vulnerability Analysis
This vulnerability stems from insufficient authorization checks within the Discourse platform's message conversion functionality. When moderators attempt to convert personal messages to public topics, the application fails to properly validate whether the moderator has legitimate access to the specific personal message being converted. This missing authorization check allows moderators to operate on personal messages they shouldn't be able to view or manipulate.
The impact is particularly concerning in community environments where moderators may not be fully trusted with access to all private communications. Users expect their personal messages to remain confidential between intended recipients, but this vulnerability allows moderators to circumvent that privacy boundary.
Root Cause
The root cause is CWE-862: Missing Authorization. The Discourse application does not perform adequate authorization checks before allowing moderators to execute the personal message to public topic conversion operation. The system assumes that if a user has moderator privileges, they have implicit access to all content, rather than implementing proper per-resource authorization validation.
Attack Vector
An attacker with moderator privileges can exploit this vulnerability through the network-accessible Discourse web interface. The attack requires no user interaction and can be performed with standard moderator credentials. The exploitation flow involves:
- Attacker authenticates as a moderator on the Discourse instance
- Attacker identifies or discovers personal messages they should not have access to
- Attacker uses the message conversion functionality to convert the private message to a public topic
- Private conversation content becomes publicly visible to forum members
The vulnerability mechanism involves the message conversion endpoint failing to verify that the requesting moderator is an authorized participant or administrator of the specific personal message conversation. For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-21865
Indicators of Compromise
- Unexpected public topics that were previously personal messages, particularly involving conversations the converting moderator was not part of
- Audit log entries showing moderators converting personal messages from conversations they were not participants in
- User reports of private conversations appearing as public topics without their consent
- Unusual patterns of message-to-topic conversions performed by specific moderator accounts
Detection Strategies
- Review Discourse audit logs for personal message to public topic conversion events, correlating with moderator permissions and message participation
- Implement monitoring for conversion actions where the moderator was not an original participant in the personal message thread
- Enable enhanced logging for all moderator actions involving personal messages
- Create alerts for bulk or unusual patterns of message conversion activity
Monitoring Recommendations
- Configure Discourse to log all personal message access and conversion events with full attribution
- Establish baseline metrics for normal moderator activity and alert on anomalies
- Periodically audit recently converted topics to verify appropriate authorization
- Consider implementing additional approval workflows for sensitive message conversions until patched
How to Mitigate CVE-2026-21865
Immediate Actions Required
- Upgrade Discourse to one of the patched versions: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
- Audit recent moderator activity for any unauthorized personal message conversions
- Review the trust level and permissions of current moderators
- Notify users if any unauthorized conversions of their private messages are discovered
Patch Information
Discourse has released security patches in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Organizations should upgrade to one of these versions as soon as possible. For detailed patch information and upgrade instructions, consult the GitHub Security Advisory (GHSA-4777-wrv5-3g39).
Workarounds
- Temporarily revoke the moderation role from untrusted moderators until the Discourse instance is upgraded
- Remove the moderator group from the "personal message enabled groups" site setting to prevent moderator access to personal messages entirely
- Implement additional manual review processes for any topic conversions performed by moderators
- Consider temporarily disabling the personal message to public topic conversion feature if possible through Discourse settings
# Workaround: Remove moderator group from personal message enabled groups
# Navigate to Discourse Admin Settings and modify:
# Settings -> Users -> personal message enabled groups
# Remove 'moderators' group from the list until patch is applied
# After patching, upgrade Discourse using standard procedures:
cd /var/discourse
./launcher rebuild app
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
