Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query Execution
Vulnerability Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. As a workaround, either explicitly set group permissions on each Data Explorer query that doesn't have permissions, or disable discourse-data-explorer plugin.
CVSS Information
N/A
Vulnerability Type
访问控制不恰当
Vulnerability Title
Discourse 访问控制错误漏洞
Vulnerability Description
Discourse是Discourse开源的一套开源的社区讨论平台。该平台包括社区、电子邮件和聊天室等功能。 Discourse 2025.12.2之前版本、2026.1.1之前版本和2026.2.0之前版本存在访问控制错误漏洞,该漏洞源于Data Explorer插件中访问控制失败开放,允许任何经过身份验证的用户执行SQL查询。
CVSS Information
N/A
Vulnerability Type
N/A