Nixpkgs security tracker

Untriaged

Permalink CVE-2026-28227

created 1 month, 2 weeks ago

Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Timer publish_to_category

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the `publish_to_category` topic timer, bypassing authorization checks. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

References

https://github.com/discourse/discourse/security/advisories/GHSA-m49w-78mh-87jp x_refsource_CONFIRM

Affected products

discourse

==< 2025.12.2
==>= 2026.2.0-latest, < 2026.2.0
==>= 2026.1.0-latest, < 2026.1.1

Matching in nixpkgs

pkgs.discourse

Discourse is an open source discussion platform

nixos-unstable 2025.12.1
- nixpkgs-unstable 2025.12.1
- nixos-unstable-small 2025.12.1
nixos-25.11 2025.12.1
- nixos-25.11-small 2025.12.1
- nixpkgs-25.11-darwin 2025.12.1

pkgs.discourseAllPlugins

Discourse is an open source discussion platform

nixos-unstable 2025.12.1
- nixpkgs-unstable 2025.12.1
- nixos-unstable-small 2025.12.1
nixos-25.11 2025.12.1
- nixos-25.11-small 2025.12.1
- nixpkgs-25.11-darwin 2025.12.1