Discourse Bookmark Authorization Bypass (pre-2025.12.2, 2026.1.1, 2026.2.0)
CVE-2026-27150 Published on February 26, 2026
Discourse doesn't ensure guardian check when creating QueryGroupBookmark
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, missing `validate_before_create` authorization in Data Explorer's `QueryGroupBookmarkable` allows any logged-in user to create bookmarks for query groups they don't have access to, enabling metadata disclosure via bookmark reminder notifications. Versions 2025.12.2, 2026.1.1, and 2026.2.0 fix this issue and also make sure `validate_before_create` throws NotImplementedError in BaseBookmarkable if not implemented, to prevent similar issues in the future. No known workarounds are available.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-27150 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-27150
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version < 2025.12.2 is affected.
- Version >= 2026.1.0-latest, < 2026.1.1 is affected.
- Version >= 2026.2.0-latest, < 2026.2.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.