Platform
discourse
Component
discourse
Fixed in
2026.3.1
2026.2.1
2026.1.1
CVE-2026-30888 describes a Privilege Escalation vulnerability affecting Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. This flaw allows moderators to circumvent restrictions and edit critical site policy documents, potentially altering terms of service, guidelines, or privacy policies. Affected versions include those less than or equal to 2026.2.0-latest and versions before 2026.2.1. A patch is available in the specified fixed versions.
The primary impact of CVE-2026-30888 is the potential for unauthorized modification of essential site policy documents within a Discourse instance. A malicious or compromised moderator could alter the terms of service, guidelines, or privacy policy to their advantage, potentially misleading users, enabling malicious activities, or compromising the integrity of the platform. While the CVSS score is LOW, the impact on user trust and legal compliance could be significant, especially for organizations relying on these policies. The ability to bypass intended restrictions represents a clear escalation of privileges.
CVE-2026-30888 was publicly disclosed on 2026-03-20. There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the relatively low CVSS score and lack of public exploits, the probability of active exploitation is considered low, but diligent patching is still recommended.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The definitive mitigation for CVE-2026-30888 is to upgrade your Discourse installation to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2. These versions include a patch that addresses the privilege escalation vulnerability. Unfortunately, no workarounds are available for this specific issue. Prior to upgrading, it is recommended to create a full backup of your Discourse database and files. After the upgrade, verify the integrity of your site policy documents to ensure they have not been tampered with.
Update Discourse to version 2026.3.0-latest.1, 2026.2.1 or 2026.1.2, or a later version, to fix the privilege escalation vulnerability. No known workarounds are available.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30888 is a vulnerability in Discourse that allows moderators to edit site policy documents they shouldn't be able to, potentially altering terms of service or privacy policies.
You are affected if you are running Discourse versions less than or equal to 2026.2.0-latest or versions before 2026.2.1. Check your version and upgrade if necessary.
Upgrade your Discourse installation to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2. No workarounds are available.
Currently, there are no publicly known exploits or confirmed active exploitation campaigns for CVE-2026-30888.
Refer to the official Discourse security advisory for details: [https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.