CVE-2026-27152 Overview
CVE-2026-27152 is an authorization bypass vulnerability in Discourse, an open source discussion platform. The vulnerability exists in the Chat::AddUsersToChannel functionality, which allows a user to add targets who have blocked, ignored, or muted them to an existing Direct Message (DM) channel. This bypasses per-recipient private message (PM) restrictions that are normally enforced during DM channel creation, enabling unwanted communication with users who have explicitly configured privacy preferences to prevent contact from specific individuals.
Critical Impact
Users can bypass communication blocking mechanisms to contact individuals who have explicitly blocked, ignored, or muted them, potentially enabling harassment or unwanted contact scenarios.
Affected Products
- Discourse versions prior to 2025.12.2
- Discourse versions prior to 2026.1.1
- Discourse versions prior to 2026.2.0
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27152 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27152
Vulnerability Analysis
This vulnerability is classified under CWE-284 (Improper Access Control). The core issue stems from inconsistent enforcement of user communication preferences between different code paths within the Discourse chat system.
When creating a new DM channel, Discourse properly validates whether the initiating user is permitted to contact each target recipient based on their block, ignore, and mute preferences. However, when adding users to an existing DM channel via the Chat::AddUsersToChannel service, these same validation checks are not applied.
This creates a bypass scenario where an attacker can first create a DM channel with permitted recipients, then subsequently add blocked/muted users to that channel, circumventing the protective controls those users had configured.
Root Cause
The root cause is improper access control validation in the Chat::AddUsersToChannel service. The service fails to check the initiating user's relationship status with target users before adding them to a DM channel. While the DM channel creation flow properly implements these checks, the user addition flow lacks equivalent validation, creating an inconsistent security boundary.
Attack Vector
The attack leverages the network-accessible chat functionality within Discourse. An authenticated user with low privileges can exploit this vulnerability by:
- Creating a legitimate DM channel with one or more permitted users
- Using the Chat::AddUsersToChannel functionality to add users who have blocked, ignored, or muted them
- Successfully bypassing the communication preference restrictions those users had configured
The vulnerability requires authentication and can be exploited remotely. The attack does not require any user interaction from the victim and exploits a logic flaw in the access control implementation.
Detection Methods for CVE-2026-27152
Indicators of Compromise
- Unexpected DM channel memberships where users receive messages from accounts they have blocked
- User complaints about receiving messages from blocked or muted users
- Audit log entries showing users being added to DM channels by accounts they have restricted
- Unusual patterns in Chat::AddUsersToChannel service invocations
Detection Strategies
- Monitor application logs for Chat::AddUsersToChannel operations and correlate with user block/mute relationship data
- Implement alerting for DM channel membership changes that would normally be blocked by user preferences
- Review Discourse chat logs for patterns indicating preference bypass attempts
- Deploy application-layer monitoring to detect anomalous user addition patterns in chat channels
Monitoring Recommendations
- Enable verbose logging for the Discourse chat subsystem
- Implement real-time monitoring of DM channel membership changes
- Configure alerts for user reports of unwanted contact from blocked accounts
- Periodically audit DM channel memberships against user communication preferences
How to Mitigate CVE-2026-27152
Immediate Actions Required
- Upgrade Discourse to version 2025.12.2, 2026.1.1, or 2026.2.0 or later immediately
- Review DM channel memberships for any users who may have been added in violation of their preferences
- Communicate with affected users about the vulnerability and remediation steps
- Monitor for any exploitation attempts in your environment
Patch Information
The vulnerability has been patched in Discourse versions 2025.12.2, 2026.1.1, and 2026.2.0. Organizations should upgrade to one of these versions or later to remediate this vulnerability. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- No known workarounds are available for this vulnerability
- Organizations must apply the vendor-provided patches to fully remediate this issue
- Consider temporarily disabling the chat functionality if immediate patching is not possible, though this may significantly impact platform usability
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
