CVE-2026-29072
Published: 19 March 2026
Summary
CVE-2026-29072 is a high-severity Missing Authorization (CWE-862) vulnerability in Discourse Discourse. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent unauthorized users from creating functional policy acceptance widgets in posts due to insufficient authorization checks.
Applies least privilege to restrict policy widget creation to only allowed groups, mitigating the bypass of group-based restrictions.
Remediates the specific authorization flaw by identifying, reporting, and applying patches to vulnerable Discourse versions prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass (CWE-862) in public-facing Discourse web app directly enables remote unauthenticated exploitation to insert unauthorized policy widgets, mapping to T1190 Exploit Public-Facing Application. No direct mapping to code execution, credential access, or other techniques without further assumptions.
NVD Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0-latest.1, 2026.2.1, and…
more
2026.1.2 contain a patch. As a workaround, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.
Deeper analysisAI
CVE-2026-29072 is a vulnerability in Discourse, an open-source discussion platform, affecting versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. It stems from insufficient authorization checks (CWE-862), enabling users outside the allowed policy creation groups to create functional policy acceptance widgets in posts under certain conditions. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), highlighting its potential for network-accessible exploitation with high integrity impact.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. By crafting posts with unauthorized policy acceptance widgets, they achieve high integrity impact, allowing insertion of functional widgets that bypass intended group-based restrictions on policy creation.
The Discourse security advisory (GHSA-7ph8-vprq-4jrp) confirms patches in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. As a workaround, disable the discourse-policy plugin by setting `policy_enabled` to false in site settings.
Details
- CWE(s)