CVE-2026-26265 | Discourse up to 2025.12.1/2026.1.0 Directory Items Endpoint DirectoryItemsController user_field_ids authorization
A vulnerability, which was classified as problematic, was found in Discourse up to 2025.12.1/2026.1.0. This issue affects the function DirectoryItemsController of the component Directory Items Endpoint. The manipulation of the argument user_field_ids results in incorrect authorization.
This vulnerability is known as CVE-2026-26265. It is possible to launch the attack remotely. No exploit is available.
You should upgrade the affected component.