Plattform
discourse
Komponente
discourse
Behoben in
2026.3.1
2026.2.1
2026.1.1
CVE-2026-30888 describes a Privilege Escalation vulnerability affecting Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. This flaw allows moderators to modify site policy documents (Terms of Service, guidelines, privacy policy) despite explicit restrictions. The vulnerability has a CVSS score of 2.2 (LOW) and is resolved with an upgrade to a patched version. No workarounds are currently available.
An attacker exploiting this vulnerability could leverage a compromised moderator account to alter critical site policy documents. This manipulation could be used to inject malicious content, change legal terms, or otherwise compromise the integrity and trustworthiness of the Discourse platform. The impact extends beyond simple content modification; altered policies could be used to facilitate phishing attacks, data exfiltration, or other malicious activities. The ability to modify these documents undermines the platform's governance and could erode user trust.
CVE-2026-30888 was publicly disclosed on 2026-03-20. There are currently no publicly known proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. The low CVSS score suggests a relatively low probability of exploitation, but the lack of workarounds underscores the importance of prompt patching.
Organizations and communities using Discourse for their online forums or discussion platforms are at risk. This includes businesses, educational institutions, and non-profit organizations. Specifically, those running older, unpatched Discourse instances are most vulnerable. Administrators who have granted moderator privileges to users without proper oversight should also be concerned.
• discourse: Check Discourse version using discourse-doctor. If the version is vulnerable (≤ 2026.2.0-latest and < 2026.2.1), prioritize upgrading.
• generic web: Monitor Discourse access logs for unusual activity related to policy document modification attempts. Look for POST requests to /admin/site-policy from moderator accounts.
• generic web: Review Discourse database for unauthorized changes to site policy documents. Specifically, examine the site_policy table for unexpected modifications.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-30888 is to upgrade to a patched version of Discourse. Affected versions include those less than or equal to 2026.2.0-latest and versions prior to 2026.2.1. Specifically, upgrade to 2026.3.0-latest.1, 2026.2.1, or 2026.1.2. Since no workarounds are available, immediate patching is crucial. After upgrading, verify the integrity of site policy documents to ensure no unauthorized modifications have occurred. Regularly review moderator permissions and access controls to prevent future privilege escalation attempts.
Aktualisieren Sie Discourse auf die Version 2026.3.0-latest.1, 2026.2.1 oder 2026.1.2 oder eine spätere Version, um die Privilege Escalation-Schwachstelle zu beheben. Es sind keine bekannten Workarounds verfügbar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-30888 is a vulnerability in Discourse that allows moderators to edit site policy documents they shouldn't be able to, potentially altering terms of service or privacy policies.
You are affected if you are running Discourse versions less than or equal to 2026.2.0-latest or versions before 2026.2.1. Check your version and upgrade if necessary.
Upgrade your Discourse installation to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2. No workarounds are available.
Currently, there are no publicly known exploits or confirmed active exploitation campaigns for CVE-2026-30888.
Refer to the official Discourse security advisory for details: [https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.