CVE-2026-29072

HIGH discourse NVD

CVSS Score 7.5

Severity HIGH

Published Mar 19, 2026

Vendor discourse

Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable the discourse-policy plugin by disabling the `policy_enabled` site setting.

References

https://github.com/discourse/discourse/security/advisories/GHSA-7ph8-vprq-4jrp