Vulnerability DatabaseCVE-2026-27935
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-27935
March 19, 2026
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a vulnerability in an API endpoint that discloses private topic metadata of admin users to moderator users even if the moderators do not have access to the private topics. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Affected Packages
https://github.com/discourse/discourse.git (GITHUB):
Affected version(s) =v2026.3.0-latest <v2026.3.0-latest.1
Fix Suggestion:
Update to version v2026.3.0-latest.1
https://github.com/discourse/discourse.git (GITHUB):
Affected version(s) >=v2026.1.0-latest <v2026.1.2
Fix Suggestion:
Update to version v2026.1.2
Related Resources (4)
https://github.com/discourse/discourse/security/advisories/GHSA-wxqr-r4wv-cw76
https://github.com/discourse/discourse/commit/c0f6e9a903800de0dda65c114418ae703d8a51fc
https://github.com/discourse/discourse/commit/f37e4fdf8391e4a54f1885a3a5514d390eb28bab
https://github.com/discourse/discourse/commit/d8dbb4cb189cded8c9e8b3ada859fc0db3f41897
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.9
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Insertion of Sensitive Information Into Sent Data
CWE-201
EPSS
Base Score:
0.03