CVE-2026-33427
Published: 21 March 2026
Summary
CVE-2026-33427 is a high-severity Missing Authorization (CWE-862) vulnerability in Discourse Discourse. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-33427 by requiring timely remediation of the missing authorization check flaw through vendor patches in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2.
Enforces approved authorizations to block unauthenticated attackers from manipulating legitimate Discourse authorization pages to display attacker-controlled domains.
Limits explicitly permitted actions without identification or authentication, preventing unauthenticated manipulation of authorization page domains for social engineering.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Discourse web app directly enables remote exploitation (T1190). Missing authorization allows manipulation of auth page to display attacker domain, facilitating phishing attacks (T1566) via social engineering to steal credentials.
NVD Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain…
more
a patch. No known workarounds are available.
Deeper analysisAI
CVE-2026-33427 affects Discourse, an open-source discussion platform, in versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability stems from a missing authorization check (CWE-862) that allows an unauthenticated attacker to manipulate the display of a legitimate Discourse authorization page, causing it to show an attacker-controlled domain. This issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), highlighting its network accessibility, low complexity, and potential for high integrity impact through social engineering facilitation.
An unauthenticated remote attacker can exploit this vulnerability without privileges by triggering the flawed authorization page rendering. Successful exploitation enables the attacker to present a phishing-like interface mimicking Discourse's legitimate authentication flow but hosted on their controlled domain, potentially tricking users into disclosing credentials or performing other actions under false pretenses.
The official GitHub Security Advisory (GHSA-9vhg-2mx3-mqfr) confirms patches in Discourse versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. No known workarounds exist, so administrators should upgrade affected instances immediately to mitigate the risk.
Details
- CWE(s)