CVE-2026-27151 Overview
CVE-2026-27151 is a Missing Authorization vulnerability (CWE-862) in Discourse, an open source discussion platform. The vulnerability exists in the move_posts action which only validated can_move_posts? permissions on the source topic but failed to verify write permissions on the destination topic. This oversight allowed Trust Level 4 (TL4) users and category group moderators to move posts into topics within categories where they lack posting privileges, such as read-only categories or categories with group-restricted write access.
Critical Impact
Unauthorized content manipulation in restricted forum categories, potentially allowing privileged users to bypass access controls and inject content into areas where they should have no write access.
Affected Products
- Discourse versions prior to 2025.12.2
- Discourse versions prior to 2026.1.1
- Discourse versions prior to 2026.2.0
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27151 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27151
Vulnerability Analysis
This vulnerability represents a classic Broken Access Control flaw where authorization checks were incomplete during a privileged operation. The move_posts functionality in Discourse allows moderators and TL4 users to reorganize forum content by moving posts between topics. However, the implementation only enforced permission checks on the source topic (verifying that the user can move posts from it) while neglecting to validate whether the user has write access to the destination topic.
The security gap enables users with limited moderator capabilities to effectively bypass category-level access restrictions. For example, a category group moderator for "Category A" could move posts into "Category B" even if "Category B" is configured as read-only or restricted to a specific group that the moderator isn't a member of.
Root Cause
The root cause is an incomplete authorization check in the post-moving logic. The move_posts action relied solely on the can_move_posts? method to validate permissions, which only assessed source topic permissions. The code path lacked a corresponding check to verify that the acting user has can_create_post? or equivalent write permissions on the destination topic and its category.
Attack Vector
An attacker with TL4 privileges or category group moderator status would exploit this vulnerability through the following approach:
The exploitation requires network access and authenticated access to a Discourse instance with elevated trust level permissions. The attacker identifies a target category where they lack write access (such as an admin-only announcement category or a restricted group's private area). They then use the legitimate move_posts feature through the Discourse UI or API, selecting posts from a topic they can moderate and specifying a destination topic in the restricted category. Since the system only validates their source permissions, the move operation succeeds, effectively allowing them to inject content into restricted areas.
Detection Methods for CVE-2026-27151
Indicators of Compromise
- Posts appearing in restricted categories that were authored by users without category access
- Audit logs showing move_posts operations where the destination topic is in a category the actor should not have write access to
- Unexpected content in admin-only or group-restricted announcement categories
Detection Strategies
- Review Discourse admin logs for move_posts actions and cross-reference with category permission configurations
- Implement monitoring for post movements where the acting user's group membership doesn't include write access to the destination category
- Audit existing content in restricted categories to identify posts that may have been moved by unauthorized users
Monitoring Recommendations
- Enable detailed logging for all post movement operations in Discourse settings
- Configure alerts for post modifications in critical read-only or restricted categories
- Periodically review category permission configurations against user trust levels and group memberships
How to Mitigate CVE-2026-27151
Immediate Actions Required
- Upgrade Discourse to version 2025.12.2, 2026.1.1, or 2026.2.0 or later
- Audit restricted categories for any posts that may have been moved inappropriately prior to patching
- Review user trust levels and category moderator assignments to ensure principle of least privilege
Patch Information
Discourse has released patched versions that address this authorization bypass:
- Version 2025.12.2 for the 2025.12.x release branch
- Version 2026.1.1 for the 2026.1.x release branch
- Version 2026.2.0 for the latest release branch
The fix implements proper authorization checks on the destination topic during move_posts operations. For complete technical details, refer to the GitHub Security Advisory.
Workarounds
- No official workarounds are available according to the vendor advisory
- As a temporary measure, consider restricting TL4 promotions and category moderator assignments until patching is complete
- Review and tighten category permissions where highly sensitive content is stored
# Discourse upgrade commands (example for Docker-based installations)
cd /var/discourse
git pull
./launcher rebuild app
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
