CVE-2026-27570 Overview
CVE-2026-27570 is a stored cross-site scripting (XSS) vulnerability in Discourse, an open-source discussion platform. The onebox method in the SharedAiConversation model renders the conversation title directly into HTML without proper sanitization. An attacker who can create or influence a shared AI conversation title can inject HTML or JavaScript that executes when other users render the onebox preview. The issue is tracked under [CWE-79] and is fixed in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2.
Critical Impact
Low-privileged users can inject scripts into AI conversation titles, leading to session theft, account takeover, or actions performed in the victim's context when the onebox renders.
Affected Products
- Discourse versions prior to 2026.3.0-latest.1
- Discourse versions prior to 2026.2.1
- Discourse versions prior to 2026.1.2
Discovery Timeline
- 2026-03-19 - CVE-2026-27570 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-27570
Vulnerability Analysis
The vulnerability resides in the onebox method of the SharedAiConversation model. Discourse uses oneboxes to render rich previews of internal and external links inside posts. When a shared AI conversation link is oneboxed, the conversation title is injected into the resulting HTML fragment without being escaped or sanitized.
Because the title field accepts attacker-controlled text, an actor with permission to create a shared AI conversation can craft a title containing HTML tags or inline JavaScript. When another user views a post that oneboxes the malicious shared conversation, the browser parses and executes the injected markup in the context of the Discourse origin.
Exploitation requires that the actor belongs to a group permitted by the ai_bot_public_sharing_allowed_groups setting. User interaction is also required, since a victim must render a page that contains the onebox.
Root Cause
The root cause is missing output encoding on a user-controlled string. The onebox method concatenates the conversation title into an HTML template instead of routing it through Discourse's existing HTML escaping helpers. This violates the standard pattern of treating any persisted user input as untrusted at render time.
Attack Vector
The attack vector is network-based and requires low privileges plus user interaction. An authenticated member of an allowed sharing group creates a shared AI conversation with a title containing an XSS payload. The attacker then posts a link to the shared conversation in any topic where it will be oneboxed. Any user viewing that topic triggers script execution in their authenticated browser session.
The security advisory and patch commits are available in the upstream repository. See the GitHub Security Advisory GHSA-hfxw-89hw-vwmv for technical details and the fix commits (43a5a60, c14f8f5, f2aafa5).
Detection Methods for CVE-2026-27570
Indicators of Compromise
- Shared AI conversation titles containing HTML tags such as <script>, <img onerror=...>, or <svg onload=...>.
- Outbound requests from user browsers to attacker-controlled domains shortly after rendering posts that contain AI conversation oneboxes.
- Unexpected session token, API key, or CSRF token exfiltration patterns in web proxy logs originating from authenticated Discourse sessions.
Detection Strategies
- Query the shared_ai_conversations table for title values containing angle brackets, javascript: URIs, or event handler attributes such as onerror= and onload=.
- Inspect rendered post HTML for oneboxes referencing shared AI conversations and verify titles are HTML-escaped.
- Review Content Security Policy (CSP) violation reports for inline script or unsafe-eval events on pages hosting oneboxes.
Monitoring Recommendations
- Enable and forward Discourse application and Nginx access logs to a centralized log platform for correlation across user sessions.
- Alert on creation of shared AI conversations followed by rapid link distribution to multiple high-traffic topics.
- Track user-agent and IP anomalies on accounts within the ai_bot_public_sharing_allowed_groups group.
How to Mitigate CVE-2026-27570
Immediate Actions Required
- Upgrade Discourse to 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 depending on your release channel.
- Audit existing shared AI conversation titles for malicious markup and remove or sanitize any suspicious records.
- Rotate session secrets and API keys for any accounts that may have rendered a malicious onebox.
Patch Information
The fix is delivered in Discourse versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The patch is implemented across three commits that ensure the conversation title is properly escaped before being rendered into the onebox HTML. Refer to the GitHub Security Advisory GHSA-hfxw-89hw-vwmv for the authoritative fix description.
Workarounds
- Tighten access by changing the ai_bot_public_sharing_allowed_groups site setting to restrict shared AI conversation creation to a small, trusted group of users.
- Disable AI bot public sharing entirely until the upgrade is applied if the feature is not in active use.
- Enforce a strict Content Security Policy that blocks inline scripts to reduce the impact of stored XSS payloads.
# Restrict AI bot public sharing to staff only via the Discourse admin UI
# Admin > Settings > search: ai_bot_public_sharing_allowed_groups
# Set value to: staff
#
# Or via the Rails console:
SiteSetting.ai_bot_public_sharing_allowed_groups = "3" # group id for staff
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
