Discourse Authenticated Authorization Bypass – Issue Official Warnings as Non-Staff (CVE-2026-27491)
An authorization flaw in Discourse allows authenticated non-staff users to issue official warnings to other users by abusing type coercion in the post_actions endpoint.