Discourse Data Explorer plugin fail-open access (auth can run SQL) <2025.12.2
CVE-2026-28218 Published on February 26, 2026
Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. As a workaround, either explicitly set group permissions on each Data Explorer query that doesn't have permissions, or disable discourse-data-explorer plugin.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-28218 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2026-28218
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version < 2025.12.2 is affected.
- Version >= 2026.1.0-latest, < 2026.1.1 is affected.
- Version >= 2026.2.0-latest, < 2026.2.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.