CVE-2026-26207 Overview
CVE-2026-26207 is a Missing Authorization vulnerability (CWE-862) affecting the Discourse open source discussion platform's discourse-policy plugin. The vulnerability allows any authenticated user to interact with policies on posts they do not have permission to view, exposing sensitive information and enabling unauthorized policy manipulation.
Critical Impact
Authenticated users can accept/unaccept policies on restricted posts in private categories or PMs, and enumerate post IDs with attached policies through differentiated error responses.
Affected Products
- Discourse versions prior to 2025.12.2
- Discourse versions prior to 2026.1.1
- Discourse versions prior to 2026.2.0
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-26207 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-26207
Vulnerability Analysis
This vulnerability stems from a Missing Authorization flaw in the PolicyController component of the discourse-policy plugin. The controller loads posts by ID without properly verifying whether the current authenticated user has legitimate access to view those posts. This broken access control pattern enables two distinct attack scenarios: policy group members can manipulate policies on posts within private categories or private messages they should not have visibility into, and any authenticated user can perform information disclosure attacks by enumerating which post IDs have policies attached based on differentiated error responses returned by the application.
The vulnerability requires only low-privilege authenticated access to exploit, making it accessible to any registered user on affected Discourse installations. While the vulnerability does not enable arbitrary code execution or complete data compromise, it undermines the access control model that protects private content within the platform.
Root Cause
The root cause lies in the PolicyController's set_post before_action, which retrieves posts by their ID parameter without implementing a corresponding access control check. The controller assumes that if a post exists, the requesting user should be able to interact with its associated policies. This violates the principle of defense in depth, as the application fails to enforce the existing visibility permissions at the controller level.
The missing check is a call to guardian.can_see?(@post) which would verify that the authenticated user has the necessary permissions to view the post before processing any policy-related actions.
Attack Vector
The attack is network-based and requires low privileges (any authenticated user). An attacker can craft direct requests to the PolicyController endpoints with arbitrary post IDs. For posts in private categories or private messages:
Policy Manipulation: If the attacker is a policy group member, they can accept or unaccept policies on posts they cannot legitimately view, potentially bypassing workflow requirements or compliance acknowledgments.
Information Disclosure: By iterating through post IDs and observing the different error responses (e.g., "post not found" vs. "policy not found" vs. successful response), an attacker can enumerate which posts have policies attached, revealing information about the structure and content of private discussions.
This attack requires no user interaction and can be automated for large-scale enumeration.
Detection Methods for CVE-2026-26207
Indicators of Compromise
- Unusual patterns of requests to policy-related API endpoints with sequential or randomized post IDs
- Authenticated users accessing policy endpoints for posts outside their permitted categories or groups
- High volume of policy accept/unaccept actions from a single user across multiple unrelated posts
- Error response patterns indicating enumeration attempts against the PolicyController
Detection Strategies
- Monitor application logs for repeated requests to /policy/ endpoints with varying post IDs from the same session
- Implement rate limiting on policy-related API endpoints to slow enumeration attacks
- Audit policy acceptance events for anomalies where users accept policies on posts they have never viewed
- Correlate post access logs with policy action logs to identify discrepancies
Monitoring Recommendations
- Enable detailed logging for all PolicyController actions including the requesting user and target post ID
- Set up alerts for high-frequency policy endpoint requests that may indicate automated enumeration
- Review policy compliance reports for unexpected policy interactions from users without corresponding post view activity
- Monitor for authentication anomalies in conjunction with policy API access patterns
How to Mitigate CVE-2026-26207
Immediate Actions Required
- Upgrade Discourse to version 2025.12.2, 2026.1.1, or 2026.2.0 or later immediately
- If immediate patching is not possible, disable the discourse-policy plugin by setting policy_enabled = false in site settings
- Review policy action logs for evidence of exploitation prior to patching
- Audit which users have interacted with policies on posts outside their normal access scope
Patch Information
The vulnerability is patched in Discourse versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix adds a guardian.can_see?(@post) check in the set_post before_action of the PolicyController, ensuring that post visibility is verified before any policy action is processed.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Disable the discourse-policy plugin by setting policy_enabled = false in Discourse site settings if upgrading is not immediately feasible
- There is no other workaround without upgrading to a patched version
- Consider temporarily restricting access to the Discourse instance if the policy plugin is business-critical and cannot be disabled
# Discourse site settings workaround
# Access admin panel -> Settings -> Plugins
# Set policy_enabled to false
policy_enabled = false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
