CVE-2026-21865

CVSS Score & Metrics

Base Score

6.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N                                    

Vulnerability Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched.

Vulnerability Details

Published Date

January 28, 2026

Last Modified

January 30, 2026

CWE ID

CWE-862

Source

NVD

Vendor

discourse

Product

discourse

External References

https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment