CVE-2026-26265
Published: 26 February 2026
Summary
CVE-2026-26265 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Discourse Discourse. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Applying decisions to each request prior to enforcement mitigates incorrect authorization by enforcing consistent policy evaluation.
Mandating policy-based enforcement reduces the chance of incorrect authorization logic being used.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR vulnerability in the public-facing Discourse DirectoryItemsController allows unauthenticated remote attackers to bypass authorization checks and exfiltrate private user data via a standard web API endpoint, directly matching the definition of exploiting an internet-facing application.
NVD Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory.…
more
The `user_field_ids` parameter in `DirectoryItemsController#index` accepts arbitrary user field IDs without authorization checks, bypassing the visibility restrictions (`show_on_profile` / `show_on_user_card`) that are enforced elsewhere (e.g., `UserCardSerializer` via `Guardian#allowed_user_field_ids`). An attacker can request `GET /directory_items.json?period=all&user_field_ids=<id>` with any private field ID and receive that field's value for every user in the directory response. This enables bulk exfiltration of private user data such as phone numbers, addresses, or other sensitive custom fields that admins have explicitly configured as non-public. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by filtering `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As a workaround, site administrators can remove sensitive data from private user fields, or disable the user directory via the `enable_user_directory` site setting.
Deeper analysisAI
CVE-2026-26265 is an insecure direct object reference (IDOR) vulnerability in Discourse, an open source discussion platform. It affects versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, specifically in the `DirectoryItemsController#index` endpoint. The flaw arises because the `user_field_ids` parameter accepts arbitrary user field IDs without authorization checks, bypassing visibility restrictions like `show_on_profile` or `show_on_user_card` that are enforced elsewhere, such as in `UserCardSerializer` via `Guardian#allowed_user_field_ids`. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is linked to CWE-863 (Incorrect Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key).
Any user, including anonymous users, can exploit this vulnerability remotely over the network with low complexity and no privileges required. By sending a GET request to `/directory_items.json?period=all&user_field_ids=<id>` with any private field ID, an attacker can retrieve that field's value for every user in the directory response. This enables bulk exfiltration of sensitive private user data, such as phone numbers, addresses, or other custom fields configured by admins as non-public.
The GitHub Security Advisory (GHSA-crxf-p6jm-vpgw) details patches in Discourse versions 2025.12.2, 2026.1.1, and 2026.2.0, which filter `user_field_ids` against `UserField.public_fields` for non-staff users before building the custom field map. As workarounds, site administrators can remove sensitive data from private user fields or disable the user directory via the `enable_user_directory` site setting.
Details
- CWE(s)