Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27162

CVE-2026-27162: Discourse Information Disclosure Flaw

CVE-2026-27162 is an information disclosure vulnerability in Discourse that exposes whisper posts to unauthorized users through improper access control. This article covers technical details, affected versions, and patches.

Published:

CVE-2026-27162 Overview

CVE-2026-27162 is an information disclosure vulnerability in Discourse, a popular open source discussion platform. The vulnerability exists in the posts_nearby function which improperly checks topic access permissions but then returns all posts regardless of type. This flaw allows authenticated users to view "whisper" posts that should only be visible to users with whisperer permissions.

Critical Impact

Authenticated users can access private whisper posts intended for privileged users only, potentially exposing confidential communications and sensitive moderation discussions.

Affected Products

  • Discourse versions prior to 2025.12.2
  • Discourse versions prior to 2026.1.1
  • Discourse versions prior to 2026.2.0

Discovery Timeline

  • 2026-02-26 - CVE CVE-2026-27162 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-27162

Vulnerability Analysis

This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The posts_nearby function in Discourse performs an initial topic access check to verify whether a user should have access to a topic. However, after this authorization check passes, the function returns all posts within the topic without applying proper filtering based on post types.

The critical issue is that whisper posts—a special category of posts intended only for users with whisperer privileges (typically moderators and administrators)—are included in the response regardless of the requesting user's actual permission level. This creates a significant authorization bypass where any authenticated user with basic topic access can retrieve confidential whisper communications.

Root Cause

The root cause lies in insufficient access control implementation within the posts_nearby function. While the function correctly validates topic-level access, it fails to apply granular post-type filtering. The proper remediation involves using Post.secured(guardian) to filter post types based on the authenticated user's permission set, ensuring that whisper posts are only returned to users with the appropriate whisperer permissions.

Attack Vector

The vulnerability is exploitable over the network by any authenticated user. An attacker with a valid account on a Discourse instance can trigger the posts_nearby functionality to retrieve posts from topics they have legitimate access to. Due to the missing post-type filter, the response will include whisper posts that contain potentially sensitive information such as moderation notes, private staff discussions, or confidential administrative communications.

The attack requires low privileges (basic authenticated access) and no user interaction. The confidentiality impact is high as whisper posts typically contain sensitive moderation and administrative content not intended for regular users.

Detection Methods for CVE-2026-27162

Indicators of Compromise

  • Unusual access patterns to the posts_nearby API endpoint from non-staff accounts
  • API responses containing whisper post content returned to regular user accounts
  • Elevated query volumes targeting topic post retrieval functions
  • Log entries showing whisper post IDs being accessed by users without whisperer permissions

Detection Strategies

  • Monitor Discourse application logs for posts_nearby requests that return whisper-type posts to non-privileged users
  • Implement API request auditing to track post type visibility across user permission levels
  • Review access logs for patterns of systematic topic enumeration from single accounts
  • Configure alerting for anomalous post retrieval patterns that may indicate exploitation attempts

Monitoring Recommendations

  • Enable detailed application logging for post retrieval functions in Discourse
  • Implement log analysis rules to detect whisper post exposure to unauthorized users
  • Monitor for unusual spikes in posts_nearby API usage patterns
  • Consider implementing additional access logging at the database query level for sensitive post types

How to Mitigate CVE-2026-27162

Immediate Actions Required

  • Upgrade Discourse to version 2025.12.2, 2026.1.1, or 2026.2.0 immediately
  • Review audit logs for potential unauthorized access to whisper posts prior to patching
  • Assess whether any sensitive information may have been exposed through whisper posts
  • Consider temporarily restricting access to affected Discourse instances until patching is complete

Patch Information

Discourse has released patched versions that address this vulnerability by implementing Post.secured(guardian) to properly filter post types based on user permissions. The following versions contain the fix:

  • Version 2025.12.2
  • Version 2026.1.1
  • Version 2026.2.0

For additional details, refer to the GitHub Security Advisory.

Workarounds

  • No known workarounds are available for this vulnerability
  • The only effective mitigation is upgrading to a patched version
  • Organizations should prioritize patching given the lack of alternative mitigations
  • Consider implementing network-level access restrictions as a temporary defense-in-depth measure while planning the upgrade

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne