FKIE_CVE-2026-21865

Vulnerability from fkie_nvd - Published: 2026-01-28 20:16 - Updated: 2026-01-30 20:30
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Summary
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched.
References
security-advisories@github.comhttps://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39Third Party Advisory
Impacted products
Vendor Product Version
discourse discourse *
discourse discourse *
discourse discourse 2025.12.0
discourse discourse 2026.1.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*",
              "matchCriteriaId": "FDBF21E2-1191-4020-A17A-0702DE4E6451",
              "versionEndExcluding": "3.5.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*",
              "matchCriteriaId": "539B5B85-44F0-408E-B994-08BB20EA9C26",
              "versionEndExcluding": "2025.11.2",
              "versionStartIncluding": "2025.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:discourse:discourse:2025.12.0:*:*:*:stable:*:*:*",
              "matchCriteriaId": "CCBF47A8-0D3F-4174-8084-CD3517BF272A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:discourse:discourse:2026.1.0:*:*:*:stable:*:*:*",
              "matchCriteriaId": "F6CF5F98-F08F-4B28-BBE2-8296760A547E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn\u0027t have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the \"personal message enabled groups\" site setting until the Discourse instance has been upgraded to a version that has been patched."
    },
    {
      "lang": "es",
      "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. En versiones anteriores a 3.5.4, 2025.11.2, 2025.12.1 y 2026.1.0, los moderadores pueden convertir algunos mensajes personales en temas p\u00fablicos cuando no deber\u00edan tener acceso. Este problema est\u00e1 parcheado en las versiones 3.5.4, 2025.11.2, 2025.12.1 y 2026.1.0. Como soluci\u00f3n alternativa, el administrador del sitio puede revocar temporalmente el rol de moderaci\u00f3n a los moderadores no confiables o eliminar el grupo de moderadores de la configuraci\u00f3n del sitio \u0027grupos con mensajes personales habilitados\u0027 hasta que la instancia de Discourse haya sido actualizada a una versi\u00f3n que haya sido parcheada."
    }
  ],
  "id": "CVE-2026-21865",
  "lastModified": "2026-01-30T20:30:18.947",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-28T20:16:14.530",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.