Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-28282
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-19 Mar, 2026 | 21:45
Updated At-20 Mar, 2026 | 18:10
Rejected At-
▼CVE Numbering Authority (CNA)
Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.

Affected Products
Vendor
Civilized Discourse Construction Kit, Inc.discourse
Product
discourse
Versions
Affected
  • >= 2026.1.0-latest, < 2026.1.2
  • >= 2026.2.0-latest, < 2026.2.1
  • = 2026.3.0-latest
Problem Types
TypeCWE IDDescription
CWECWE-863CWE-863: Incorrect Authorization
Type: CWE
CWE ID: CWE-863
Description: CWE-863: Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
4.02.3LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf
x_refsource_CONFIRM
https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add
x_refsource_MISC
https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b
x_refsource_MISC
https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951
x_refsource_MISC
Hyperlink: https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add
Resource:
x_refsource_MISC
Hyperlink: https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b
Resource:
x_refsource_MISC
Hyperlink: https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found