CVE-2026-27491

low-risk
Published 2026-03-19

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a type coercion issue in a post actions API endpoint allowed non-staff users to issue warnings to other users. Warnings are a staff-only moderation feature. The vulnerability required the attacker to be a logged-in user and to send a specifically crafted request. No data exposure or privilege escalation beyond the ability to create unauthorized user warnings was possible. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Discourse

References (4)

Patch https://github.com/discourse/discourse/commit/60a588f4da4ab0feceb2c44787d4261b4f...
Patch https://github.com/discourse/discourse/commit/d3cb203feabc46d765ecb91f348613a2bd...
Patch https://github.com/discourse/discourse/commit/f5fef73827da7520efc517357bd2a6bab3...
Vendor Advisory https://github.com/discourse/discourse/security/advisories/GHSA-xq37-5fvf-4m4j
25
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 7/34 · Low