Cyber Resilience

CVE-2026-27934

High

Published: 19 March 2026

Published
19 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 16.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27934 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Discourse Discourse. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

CVE-2026-27934 is an information disclosure vulnerability in Discourse, an open-source discussion platform. It stems from a lack of visibility checks in a user action API endpoint, which allows unauthorized users to access the title and post excerpt of otherwise restricted content. The issue affects all versions of Discourse prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, and is classified under CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The vulnerability can be exploited remotely over the network by any unauthenticated attacker with low complexity and no user interaction required. Successful exploitation enables the attacker to disclose sensitive titles and post excerpts that should not be visible to them, potentially revealing private or moderated discussion content across the platform.

According to the advisory, Discourse has patched the vulnerability in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. No known workarounds are available. Security practitioners should prioritize upgrading affected installations. For full details, refer to the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-824f-66wh-xx3g.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to…

more

information disclosure. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an unauthenticated remote information disclosure vulnerability in the public-facing Discourse web application/API, which is directly exploitable using T1190 (Exploit Public-Facing Application) to access restricted content.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23743Same product: Discourse Discourse
CVE-2026-29072Same product: Discourse Discourse
CVE-2026-31805Same product: Discourse Discourse
CVE-2025-68662Same product: Discourse Discourse
CVE-2026-26265Same product: Discourse Discourse
CVE-2025-68479Same product: Discourse Discourse
CVE-2026-33427Same product: Discourse Discourse
CVE-2026-26078Same product: Discourse Discourse
CVE-2025-23023Same product: Discourse Discourse
CVE-2024-55948Same product: Discourse Discourse

Affected Assets

discourse
discourse
2026.3.0 · 2026.1.0 — 2026.1.2 · 2026.2.0 — 2026.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to information, addressing the lack of visibility checks in the user action API endpoint that enabled unauthorized disclosure of titles and post excerpts.

detect

Specifically monitors for potential information disclosures, enabling identification of unauthorized access to restricted content via the vulnerable API endpoint.

prevent

Applies least privilege to restrict user access to only necessary resources, limiting the scope of information disclosure even with incomplete visibility enforcement.

References