{"id":"CVE-2026-28282","summary":"Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin","details":"Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a private/restricted group has been obtained, the user will be able to read private topics that only the group has access to. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, review all policies for the use of `add-users-to-group` and temporarily remove the attribute from the policy. Alternatively, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.","aliases":["BIT-discourse-2026-28282","GHSA-6cc8-x3rm-j5pf"],"modified":"2026-04-10T05:41:03.692007Z","published":"2026-03-19T21:45:13.648Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28282.json","cwe_ids":["CWE-863"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28282.json"},{"type":"ADVISORY","url":"https://github.com/discourse/discourse/security/advisories/GHSA-6cc8-x3rm-j5pf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28282"},{"type":"FIX","url":"https://github.com/discourse/discourse/commit/64e2514ac17046cfaa8bc68a3c5140bc40736add"},{"type":"FIX","url":"https://github.com/discourse/discourse/commit/c14b8a4cc5fc94e4839a83c5d55765897589f45b"},{"type":"FIX","url":"https://github.com/discourse/discourse/commit/dcde9de530f515e88f99957056ffbcc2e1e03951"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/discourse/discourse","events":[{"introduced":"322d3c0ac6a8f133b3f82875e9dbbe310f638c1b"},{"fixed":"808b2ac23d8ff421563b40203091026732471c60"}],"database_specific":{"versions":[{"introduced":"2026.1.0-latest"},{"fixed":"2026.1.2"}]}},{"type":"GIT","repo":"https://github.com/discourse/discourse","events":[{"introduced":"f7cec86997edc21d6074ceb7666f7e2e6e1b1fdf"},{"fixed":"f38464e46df1b8c51f7d60826502476908d6bb2b"}],"database_specific":{"versions":[{"introduced":"2026.2.0-latest"},{"fixed":"2026.2.1"}]}},{"type":"GIT","repo":"https://github.com/discourse/discourse","events":[{"introduced":"0"},{"last_affected":"896e810e1b296478bba91559a8fc89a9926f11fe"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"= 2026.3.0-latest"}]}}],"versions":["esr","stable","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.8.4","v0.8.5","v0.8.6","v0.8.7","v0.8.8","v0.8.9","v0.9.0","v0.9.1","v0.9.2","v0.9.2.5","v0.9.2.6","v0.9.3","v0.9.4","v0.9.5","v0.9.5.1","v0.9.5.2","v0.9.6","v0.9.6.1","v0.9.6.3","v0.9.6.4","v0.9.7","v0.9.7.1","v0.9.7.2","v0.9.7.3","v0.9.7.4","v0.9.7.5","v0.9.7.6","v0.9.7.7","v0.9.7.8","v0.9.7.9","v0.9.8","v0.9.8.1","v0.9.8.10","v0.9.8.11","v0.9.8.2","v0.9.8.3","v0.9.8.4","v0.9.8.5","v0.9.8.6","v0.9.8.7","v0.9.8.8","v0.9.8.9","v0.9.9.1","v0.9.9.10","v0.9.9.11","v0.9.9.12","v0.9.9.13","v0.9.9.14","v0.9.9.15","v0.9.9.16","v0.9.9.17","v0.9.9.18","v0.9.9.2","v0.9.9.3","v0.9.9.4","v0.9.9.5","v0.9.9.6","v0.9.9.7","v0.9.9.8","v0.9.9.9","v1.0.0","v1.1.0.beta2","v1.1.0.beta3","v1.1.0.beta4","v1.1.0.beta5","v1.1.0.beta6","v1.1.0.beta6b","v1.1.0.beta7","v1.1.0.beta8","v1.2.0.beta1","v1.2.0.beta2","v1.2.0.beta3","v1.2.0.beta4","v1.2.0.beta5","v1.2.0.beta6","v1.2.0.beta7","v1.2.0.beta8","v1.2.0.beta9","v1.3.0.beta1","v1.3.0.beta10","v1.3.0.beta11","v1.3.0.beta2","v1.3.0.beta3","v1.3.0.beta4","v1.3.0.beta5","v1.3.0.beta6","v1.3.0.beta9","v1.4.0.beta1","v1.4.0.beta10","v1.4.0.beta11","v1.4.0.beta12","v1.4.0.beta2","v1.4.0.beta3","v1.4.0.beta4","v1.4.0.beta5","v1.4.0.beta6","v1.4.0.beta7","v1.4.0.beta8","v1.4.0.beta9","v1.5.0.beta1","v1.5.0.beta10","v1.5.0.beta11","v1.5.0.beta12","v1.5.0.beta13","v1.5.0.beta13b","v1.5.0.beta14","v1.5.0.beta2","v1.5.0.beta4","v1.5.0.beta5","v1.5.0.beta6","v1.5.0.beta7","v1.5.0.beta8","v1.5.0.beta9","v1.6.0.beta1","v1.6.0.beta10","v1.6.0.beta11","v1.6.0.beta12","v1.6.0.beta2","v1.6.0.beta3","v1.6.0.beta4","v1.6.0.beta5","v1.6.0.beta6","v1.6.0.beta7","v1.6.0.beta8","v1.6.0.beta9","v1.7.0.beta1","v1.7.0.beta10","v1.7.0.beta11","v1.7.0.beta2","v1.7.0.beta3","v1.7.0.beta4","v1.7.0.beta5","v1.7.0.beta6","v1.7.0.beta7","v1.7.0.beta8","v1.7.0.beta9","v1.8.0.beta1","v1.8.0.beta10","v1.8.0.beta11","v1.8.0.beta12","v1.8.0.beta13","v1.8.0.beta2","v1.8.0.beta3","v1.8.0.beta4","v1.8.0.beta5","v1.8.0.beta6","v1.8.0.beta7","v1.8.0.beta8","v1.8.0.beta9","v1.9.0.beta1","v1.9.0.beta10","v1.9.0.beta11","v1.9.0.beta12","v1.9.0.beta13","v1.9.0.beta14","v1.9.0.beta15","v1.9.0.beta16","v1.9.0.beta17","v1.9.0.beta2","v1.9.0.beta3","v1.9.0.beta4","v1.9.0.beta5","v1.9.0.beta6","v1.9.0.beta7","v1.9.0.beta8","v1.9.0.beta9","v2.0.0.beta1","v2.0.0.beta10","v2.0.0.beta2","v2.0.0.beta3","v2.0.0.beta4","v2.0.0.beta5","v2.0.0.beta6","v2.0.0.beta7","v2.0.0.beta8","v2.0.0.beta9","v2.1.0.beta1","v2.1.0.beta2","v2.1.0.beta3","v2.1.0.beta4","v2.1.0.beta5","v2.1.0.beta6","v2.2.0.beta1","v2.2.0.beta10","v2.2.0.beta2","v2.2.0.beta3","v2.2.0.beta4","v2.2.0.beta5","v2.2.0.beta6","v2.2.0.beta7","v2.2.0.beta8","v2.2.0.beta9","v2.3.0.beta1","v2.3.0.beta10","v2.3.0.beta11","v2.3.0.beta2","v2.3.0.beta3","v2.3.0.beta4","v2.3.0.beta5","v2.3.0.beta6","v2.3.0.beta7","v2.3.0.beta8","v2.3.0.beta9","v2.4.0.beta1","v2.4.0.beta10","v2.4.0.beta11","v2.4.0.beta2","v2.4.0.beta3","v2.4.0.beta4","v2.4.0.beta5","v2.4.0.beta6","v2.4.0.beta7","v2.4.0.beta8","v2.4.0.beta9","v2.5.0.beta1","v2.5.0.beta2","v2.5.0.beta3","v2.5.0.beta4","v2.5.0.beta5","v2.5.0.beta6","v2.5.0.beta7","v2.6.0.beta1","v2.6.0.beta2","v2.6.0.beta3","v2.6.0.beta4","v2.6.0.beta5","v2.6.0.beta6","v2.7.0.beta1","v2.7.0.beta2","v2.7.0.beta3","v2.7.0.beta4","v2.7.0.beta5","v2.7.0.beta6","v2.7.0.beta7","v2.7.0.beta8","v2.7.0.beta9","v2.8.0.beta1","v2.8.0.beta10","v2.8.0.beta11","v2.8.0.beta2","v2.8.0.beta3","v2.8.0.beta4","v2.8.0.beta5","v2.8.0.beta6","v2.8.0.beta7","v2.8.0.beta8","v2.8.0.beta9","v2.9.0.beta1","v2.9.0.beta10","v2.9.0.beta11","v2.9.0.beta12","v2.9.0.beta13","v2.9.0.beta14","v2.9.0.beta2","v2.9.0.beta3","v2.9.0.beta4","v2.9.0.beta5","v2.9.0.beta6","v2.9.0.beta7","v2.9.0.beta8","v2.9.0.beta9","v2025.12.0-latest","v2026.1.0","v2026.1.0-latest","v2026.1.1","v2026.2.0","v2026.2.0-latest","v2026.3.0-latest","v3.0.0.beta15","v3.0.0.beta16","v3.1.0.beta1","v3.1.0.beta2","v3.1.0.beta3","v3.1.0.beta4","v3.1.0.beta5","v3.1.0.beta6","v3.1.0.beta7","v3.1.0.beta8","v3.2.0.beta1","v3.2.0.beta2","v3.2.0.beta3","v3.2.0.beta4","v3.2.0.beta5","v3.3.0.beta1","v3.3.0.beta2","v3.3.0.beta3","v3.3.0.beta4","v3.3.0.beta5","v3.3.0.beta6","v3.4.0.beta1","v3.4.0.beta2","v3.4.0.beta3","v3.4.0.beta4","v3.5.0.beta1","v3.5.0.beta2","v3.5.0.beta3","v3.5.0.beta4","v3.5.0.beta5","v3.5.0.beta6","v3.5.0.beta7","v3.5.0.beta8","v3.5.0.beta9","v3.6.0.beta1","v3.6.0.beta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28282.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}