Unrated severityNVD Advisory· Published Feb 26, 2026· Updated Mar 3, 2026
Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category
CVE-2026-28227
Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the publish_to_category topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Affected products
3<2025.12.2, <2026.1.1, <2026.2.0+ 1 more
- (no CPE)range: <2025.12.2, <2026.1.1, <2026.2.0
- (no CPE)range: < 2025.12.2
Patches
Vulnerability mechanics
References
1- github.com/discourse/discourse/security/advisories/GHSA-m49w-78mh-87jpmitrex_refsource_CONFIRM
News mentions
1- From SQLi to RCE – Exploiting LangGraph’s CheckpointerCheck Point Research · Jun 11, 2026