CVE-2026-27150 Overview
CVE-2026-27150 is a Missing Authorization vulnerability (CWE-862) affecting Discourse, an open source discussion platform. The vulnerability exists in the Data Explorer plugin's QueryGroupBookmarkable component, where a missing validate_before_create authorization check allows any logged-in user to create bookmarks for query groups they don't have access to. This authorization bypass enables metadata disclosure through bookmark reminder notifications.
Critical Impact
Authenticated users can bypass access controls to create unauthorized bookmarks, potentially exposing sensitive metadata through bookmark reminder notifications.
Affected Products
- Discourse versions prior to 2025.12.2
- Discourse versions prior to 2026.1.1
- Discourse versions prior to 2026.2.0
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27150 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27150
Vulnerability Analysis
This vulnerability stems from a missing authorization check in Discourse's Data Explorer plugin. The QueryGroupBookmarkable class fails to implement the validate_before_create method, which is responsible for verifying that a user has appropriate permissions before creating a bookmark associated with a query group. Without this validation, the system accepts bookmark creation requests from any authenticated user, regardless of whether they have legitimate access to the underlying query group.
The impact centers on information disclosure. When an unauthorized user creates a bookmark for a query group they shouldn't access, they can receive bookmark reminder notifications that may contain metadata about the query group. This metadata leakage could reveal sensitive information about internal queries, their naming conventions, and potentially their purpose within the organization.
Root Cause
The root cause is the absence of the validate_before_create authorization method in the QueryGroupBookmarkable class. This method should verify that the authenticated user has permission to access the query group before allowing bookmark creation. The base BaseBookmarkable class did not enforce implementation of this critical method, allowing derived classes to inadvertently skip authorization checks.
Attack Vector
An attacker with valid authentication credentials to a Discourse instance can exploit this vulnerability remotely over the network. The attack requires low complexity and no user interaction. The attacker would:
- Authenticate to the Discourse platform with any valid user account
- Identify or enumerate query group IDs (potentially through other means or educated guessing)
- Craft requests to create bookmarks for query groups they don't have legitimate access to
- Receive bookmark reminder notifications containing metadata about the bookmarked query groups
The vulnerability allows confidentiality and integrity impacts, as unauthorized bookmarks can be created and metadata can be disclosed through the notification system.
Detection Methods for CVE-2026-27150
Indicators of Compromise
- Unusual bookmark creation patterns for query groups by users who should not have access
- Bookmark entries in the database where the user has no corresponding query group permissions
- Anomalous bookmark reminder notifications being generated for users outside expected access groups
- Audit log entries showing bookmark operations for query groups from unauthorized user accounts
Detection Strategies
- Review database records for bookmarks associated with QueryGroupBookmarkable and cross-reference with user permissions
- Monitor application logs for bookmark creation requests targeting query groups
- Implement query analysis to detect users creating bookmarks for resources outside their permission scope
- Audit existing bookmarks to identify any that were created without proper authorization
Monitoring Recommendations
- Enable detailed logging for bookmark creation and modification events in Discourse
- Set up alerts for bookmark operations involving the Data Explorer plugin's query groups
- Periodically audit bookmark records against user permissions to detect unauthorized associations
- Monitor for unusual patterns in bookmark reminder notification generation
How to Mitigate CVE-2026-27150
Immediate Actions Required
- Upgrade Discourse to version 2025.12.2, 2026.1.1, or 2026.2.0 or later immediately
- Audit existing bookmarks in the database to identify and remove any unauthorized query group bookmarks
- Review bookmark reminder notifications that may have been sent to unauthorized users
- Consider temporarily disabling the Data Explorer plugin if immediate patching is not possible
Patch Information
Discourse has released patched versions that address this vulnerability. The fix implements proper validate_before_create authorization in the QueryGroupBookmarkable class and also modifies the base BaseBookmarkable class to throw a NotImplementedError if validate_before_create is not implemented, preventing similar issues in future bookmarkable implementations.
Fixed Versions:
- 2025.12.2
- 2026.1.1
- 2026.2.0
For additional details, refer to the GitHub Security Advisory.
Workarounds
- No official workarounds are available according to the vendor advisory
- Organizations unable to patch immediately should consider restricting access to the Data Explorer plugin
- Limit user registration and authentication to reduce the attack surface until patching is complete
- Monitor bookmark creation activity closely until the patch can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
