2.7

CVE-2026-33408

Discourse has Improper Authorization in "Post Edits" Report For Moderators

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DiscourseDiscourse Version >= 2026.1.0 < 2026.1.2
DiscourseDiscourse Version >= 2026.2.0 < 2026.2.1
DiscourseDiscourse Version2026.3.0 SwEditionlatest
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.192
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 2.7 1.2 1.4
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com 2.2 0.7 1.4
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/discourse/discourse/commit/3bf3793a708662716c0a4eaf64ae091abe71ab4c
Patch
https://github.com/discourse/discourse/commit/473288219e93cd17576cf15e4f0b9e388a31d0c1
Patch
https://github.com/discourse/discourse/commit/62721429d4402505d21280bcbe5894032447d800
Patch
https://github.com/discourse/discourse/security/advisories/GHSA-wf9r-386h-g29c
Vendor Advisory