{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.700Z", "datePublished": "2026-03-20T02:55:58.300Z", "dateUpdated": "2026-03-21T02:54:32.524Z"}, "containers": {"cna": {"title": "Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": "< 2026.3.0-latest.1", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:55:58.300Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-jj9p-p7m6-jq96", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T02:54:20.305999Z", "id": "CVE-2026-30888", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T02:54:32.524Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T02:54:20.305999Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T02:54:28.617Z"}}], "cna": {"title": "Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint", "source": {"advisory": "GHSA-jj9p-p7m6-jq96", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": "< 2026.3.0-latest.1"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:55:58.300Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30888", "state": "PUBLISHED", "dateUpdated": "2026-03-21T02:54:32.524Z", "dateReserved": "2026-03-06T00:04:56.700Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T02:55:58.300Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents (ToS, guidelines, privacy policy) that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Las versiones anteriores a 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 permiten a un moderador editar documentos de pol\u00edtica del sitio (T\u00e9rminos de Servicio, directrices, pol\u00edtica de privacidad) que tienen expl\u00edcitamente prohibido modificar. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-30888", "lastModified": "2026-03-24T19:59:16.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T03:15:58.860", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-jj9p-p7m6-jq96"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026.3.0-latest.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2026.1.0-latest,2026.1.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-20T04:20:59.559201+00:00", "value": {"mitigation_remediation": ["Upgrade to Discourse 2026.3.0-latest.1 or newer to apply the patch."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected systems are versions of the Discourse open\u2011source discussion platform that are older than the patched releases 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability exists in all Discourse releases prior to these patched versions. No known workarounds are available; the only mitigation is to apply the patch or upgrade to a newer release.", "description_and_impact": "The vulnerability in Discourse allows a moderator to perform a privilege escalation by supplying an arbitrary post_id to the suspend/silence endpoint. Key issue is that the endpoint does not properly authorize access to post objects outside the moderator's scope. As a result, moderators are able to edit site policy documents such as the Terms of Service, community guidelines, and privacy policy, which they are explicitly prohibited from modifying. This creates an integrity violation that can undermine trust in the platform and lead to policy misinformation. CWE-269 describes this as an access control flaw.", "risk_and_exploitability": "The CVSS score is 2.2, indicating low severity. EPSS data is not available, and the vulnerability has not been listed in the CISA KEV catalog. The attack requires legitimate moderator access, so the vector is internal or trusted. An attacker with moderator credentials can easily exploit the flaw by directly calling the suspend/silence endpoint with a crafted post_id. The exploit is straightforward and does not require external network exposure, but it does not affect unprivileged users."}}}}, "created": "2026-03-20T08:52:56.953253+00:00", "updated": "2026-03-20T10:37:40.234951+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}