Medium severity5.3NVD Advisory· Published Apr 3, 2026· Updated Apr 22, 2026

CVE-2026-27481

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass vulnerability allows unauthenticated or unauthorized users to view hidden (staff-only) tags and its associated data. All Discourse instances with tagging enabled and staff-only tag groups configured are impacted. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

Discourse (software)/Discourse2 versions
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*+ 1 more
- cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
- cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*range: >=2026.1.0,<=2026.1.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/discourse/discourse/security/advisories/GHSA-6c9x-3vrp-682xnvdThird Party Advisory

News mentions

Pro-Iran crew turns DDoS into shakedown as Ubuntu.com stays down
The Register Security · May 1, 2026
Pro-Iran crew turns DDoS into shakedown as Ubuntu.com stays down
The Register Security · May 1, 2026

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000